Home
Vermont (VERsatile MONitoring Toolkit) is an open-source software toolkit for the creation and processing of network flow data, based on monitored Internet packet data. The IETF standard IPFIX (IP Flow Information eXport) defines the formats and procedures for handling these flows. Furthermore, the Netflow.v9 and the PSAMP (Packet Sampling) standards are supported. Vermont runs on Linux and derivatives of BSD. It can receive and process raw packets via PCAP (up to 1 GBit/s) as well as IPFIX/Netflow.v9 flow data.
Vermont has been developed by the networking groups of FAU Erlangen (Computer Networks and Communication Systems) and TU München (Network Architectures and Services, formerly located in Tübingen) as part of the HISTORY Project.
Presently, the following modules are available:
- Packet capturers which read raw packets from an interface or a file using PCAP
- Sampling algorithms and filters for raw packet selection
- Aggregators for generating customizable flow records from raw packets
- Exporters for exporting flow records or packet reports to a remote collector using IPFIX over UDP or SCTP (with optional DTLS).
- Collectors for receiving Netflow.v9, IPFIX, and PSAMP data via UDP and SCTP (with optional DTLS)
- Analyzers for traffic examination and anomaly detection reporting events in IDMEF
Modules can be linked in almost any combination: only the input and output data type of linked modules need to be compatible. Modules may also have more than one succeeding and preceding module. The following figure shows an example for an arrangement of several modules. In this configuration, Vermont captures packets using PCAP, filters these packets and exports the selected records. A second branch aggregates flows, which, in turn, are exported using and analyzed in a portscan detector, respectively. The whole application framework is multithreaded and each module may use dedicated threads for data processing. The example also shows a queue between two modules to buffer elements.
Just try out Vermont by using the network monitoring appliance monkit. It captures packets from the network interface using Vermont in combination with PF_RING (a replacement for the standard packet capturing library PCAP) and also offers web interfaces (including the Vermont Management System) for configuration and data visualization. It is available as disk image for virtual machines (.vmdk), CD-Image with Installer or Debian package for Ubuntu 10.04!
This appliance saves you a lot of work, as setting up Vermont on a machine including fast packet capturing, an IDS, and web interfaces for configuration and visualization is already ready-to-use there!
- Look at the Download Page and download Vermont, and maybe also the management system.
- Follow the instructions here.
- If you have any questions, do not hesitate to send a mail to the mailing list vermont-dev@lists.berlios.de