What is ZNeTS ?
ZNeTS "The Network Traffic Supervisor" is the ultimate tool for monitoring and recording machines traffic for months on one or more LANs.
ZNeTS can acquire data from multiple sources (one or many netflow/IPFIX probes or directly from a physical interface). So, it is easy to deploy ZNeTS whatever the architecture of your network!
ZNeTS is not just a collector. It uses optimized flows that are re-aggregated during a adjustable period (from 1 minute to 1 hour).
ZNeTS may even send its flows to another collector (it behaves then as a NetflowV9 probe)
ZNeTS graphical interface is intuitive and ergonomic. Metrology offers two levels of detail. Alerts are simple and relevant (based on counting algorithms). Access to the network flows are easy, the selection forms are pre-filled automatically with each interaction. 2-click on charts or alert are enough to see the corresponding flows.
What's the goal ?
ZNeTS is a powerful and easy tool whose purpose is :
- The acquisition and conservation of inbound and outbound network flows (during many months or years... even on very high speed networks). Legally, this traces may be required in an investigation, and protect your institution from being sentenced.
- Research and filter data, with an integrated search engine. You could quickly and accurately analyze the consequences of an attack, virus, or highlight a theft of information...
- The detection of anomalies causing the generation of alert and optionnal email sending. ZNeTS detected in near real time, misuse of computer resources (peer-to-peer, server ...), hacker scans, spam, ... and send alerts, so you will be very quick to react !
- Metrology, with the calculation and visualization of hourly and daily statistics of the overall traffic and detailled traffic (for each subnet, and machine on the LAN).
So, how does the data look like ?
The raw data collected by ZNeTS are aggregated and stored all fractions of an hour (time to configure) in the DBMS.
databases (from Maxmind
) are available, they are used to resolve country and autonomous system number.
ZNeTS flows are bidirectional (unlike netflow's one). They are inherently incoming or outgoing.
Thus, they are less compressed and naturally indexed by the local IP address.
ZNeTS flow's record is composed of the following fields:
- IpLocal: the local machine's IP
- Direction: the direction of flow (incoming or outgoing)
- IpExtern: the IP of the external machine
- Country: the country of the external machine
- ASnum: the AS number of the external machine
- LocalPort: port number used on the local machine
- ExternPort: port number used on the external machine
- Tcpflags: logical OR of TCP flags
- Inctraffic: The amount of incoming traffic in bytes
- Outtraffic: The amount of outgoing traffic in bytes
- Incpkts: number of incoming packet
- Outpkts: number of outgoing packet
- firsttimestamp: timestamp 1 Packet IP
- lasttimestamp: timestamp of the last IP Packet
- geoip data: country id and as number
What's about the metrology ?
The statistics are calculated from raw data in real time.
The user interface is very ergonomic (simple, intuitive and relevant). There is really many charts (40 different kinds)
Most of them are "TOP10" stacked charts, to visualize instantly the 10 biggest consumers of a resource. Two levels of details are available for quiet all charts.
=> Test interface ZNeTS with fixed data
and... What's kind of alert is there ?
Traffic anomalies likely to be detected are 8 different kinds :
- A local machine has contacted more than X external machines
- Local machine has scanned an external machine
- An external machine has scanned a machine internal
- A local machine has sent queries to an unknown external DNS server
- A local machine has had an outgoing SMTP traffic abnormally high
- A local machine has contacted a compromised external machines
How to deploy?
ZNeTS is very modular. Depending on the architecture of your network, it may be wiser to use ZNeTS Sniffer mode or Netflow mode (and possibly the both).
Which kind of computer do I need to install ZNeTS ?
ZNeTS currently runs on Linux. Windows and Mac OS X version should be available soon.
It doesn't require much resource (CPU and RAM). It can be installed without problem on an old PC or a virtual machine. In extreme cases, only access time of the disk containing the database can be a bit limiting.
Can ZNeTS deal with high rate network ?
ZNeTS has been developed and tested in the biggest computing centers (with tens of gigabits average trafic). In all cases, ZNeTS works perfectly, and the database can easily contain several months of traffic.
The low resource consumption suggests that ZNeTS is very far from having reached its limits.
It allows you to have traces, which may be required in an investigation of request
Porsche 928 FRANCE
campsites camping in france