Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Open Packet Broker NOS (OPBNOS) set of containerized applications built and runs on top of the open-source SONiC NOS. The NOS provides an affordable solution to aggregate, filter, replicate and load balance network traffic from hardware TAPs.
Filter, Replicate and Load Balance: OPBNOS provides the basic functionalities of any packet broker on commodity ASICs including filtering based on L2/L3/L4 headers, replicating traffic with unique identification and providing symmetric load balancing.
Deep Inspection, Truncate, Tunnel: Advance functions including user-defined offset-based inspection of tunnelled packets (IP-in-IP, VXLAN, MPLS, GRE), forward monitored traffic across data centres using IP underlay. One of the unique value-added features includes the truncation of payload reducing the storage cost at tools farm.
5G Ready: OPBNOS supports parsing of GTP-C and GTP-U packets, providing advanced filtering and load balancing based on inner headers.
Unified Management: Aviz FlowVision provides a single pane of glass to manage and visualize the solution. OPBNOS also supports industry-standard CLI and RESTful API for integration into customer orchestration systems.
Open-source Arkimer (Moloch) is deployed for capturing packets from the network aggregators and load balancers. The capture module can sniff packets from the NIC and also supports processing packets from pcap files. The captured packets can be visualized using a simplified viewer providing insights into the metadata including packet headers and payloads. This component also writes the metadata to a centralized storage cluster for future analysis.
For centralized storage Elastic Storage cluster is utilized which supports distributed scalable storage along with automatic sharding. The metadata saved across the elastic cluster is visualized using Kibana which provides drilled-down information about sessions, network stats and dashboards
Monitoring a Cloud network with dislocated data centres can create blindspots that might lead to security and compliance issues. The solution provides comprehensive visibility across the cloud infrastructure, providing end-to-end visibility into the application, and traffic flow and making it easier to correlate network and security events across data centres.
Aviz OPBNOS exposes the ASIC capabilities for advanced monitoring including deeper packet inspection for security applications, tunnelling (VXLAN) data across data centres using existing IP underlay, and 5G (GTP) packet processing for load balancing using inner headers. All these advanced capabilities support wire-speed forwarding of monitored traffic.
The architecture of the complete solution for packet monitoring and analysis is highly distributed, supporting per-site packet capture, analysis and troubleshooting. The extracted metadata from the monitored traffic is stored in a distributed clustered database for centralized analysis and visualization.
The solution provides end-to-end visibility and wire-speed access to network traffic without the need for investing in new hardware. OPBNOS is built on open-source NOS SONiC which is supported by the majority of the ASIC and switch vendors, customers can easily upgrade to this solution on their existing hardware. Packet capture, analysis and visualization are performed using open-source software running on commodity x86 hardware running Linux.
Aviz OPBNOS provides a highly scalable, flexible and affordable solution to aggregate, filter and load balance network traffic from hardware or virtual TAPs to connected tools for analysis and visualization.
It provides line rate traffic forwarding using switching ASIC by configuring flow paths between two or multiple ports, By leveraging the OPBNOS solution, enterprises can quickly be scaled up or down to meet the ever-changing demands of network visibility and security tools.
Download the latest build of OPBNOS from here
OPBNOS can be installed by following the installation guide
Login into the switch with default credentials
User: admin
Password: admin
Configure Management IP
Configure network ports, these are the ports that connect to network-taps
Configure tool ports, these are the ports that connect to security tools
Configure flow to filter and forward traffic
Verify configured flow
The same rules can also be configured by using the Aviz FlowVision:
The cost-efficient Open source Packet Broker Visibility solution harnesses truly open source tools for comprehensive visibility and analysis that benefits up to 80% TCO(Total Cost Ownership).
The packet stream to Arkime will be fed by Aviz OPBNOS, providing the capability to filter, load-balance and aggregate traffic from network taps.
Arkime is a large-scale, open-source, indexed packet capture and search system that augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.
Arkime uses Elasticsearch (ES) as its backend data store for storing and indexing network traffic data. Elasticsearch is designed for fast indexing and searching of large volumes of data. It also provides a flexible query language that allows users to easily search and filter data based on various criteria, such as IP addresses, ports, protocols, and time ranges while also being highly scalable and can handle large volumes of data across multiple nodes in a cluster.
Kibana is a free and open frontend application that sits on top of Elasticsearch(ES), providing search and data visualization capabilities for data indexed in Elasticsearch. Kibana is a data visualization and management tool for Elasticsearch that provides real-time histograms, line graphs, pie charts, and maps. Kibana also includes advanced applications such as Canvas, which allows users to create custom dynamic infographics based on their data, and Elastic Maps for visualizing geospatial data.
Aviz OPB Visibility solution is truly based on open networking principles using open networking switch hardware running software-defined OPB NOS built on OpenSource NOS SONiC providing aggregation, filtering and load balancing of monitored traffic. The monitoring solution is completely designed using open-source analytics software for packet processing, storage and visibility on commodity x86 nodes.
The following OSes should work out of the box:
Arch
CentOS/RHEL 7, 8, 9
Amazon Linux 2
Ubuntu 18.04, 20.04, 22.04
An installation of Docker Container Engine.
Download the Kibana installation scripts from here
Copy the tar to the Kibana server and extract using the below command
Move to the extracted folder
Execute the ‘start.sh’ script, the script will perform the following actions
Start the Kibana node on port 5601
Connect to the ES Storage node on port 9200
Start the Kibana container
Open URL http://<Kibana-server-ip>:5601/ from your favourite browser
Create Kibana Dashboards
Check that Arkime and ES docker are running and the status is ‘UP’ if any of the dockers is not visible. Try running the ‘start.sh’ with the correct permissions, if the issue is not resolved try
when Arkime is unable to connect correctly with Elasticsearch the Arkime UI may not be reachable
Check that UI is reachable by visiting http://arkime-hostname:8005 from your browser
Add the vm.max_map_count setting to a sysctl configuration file to make the change persistent across reboots:
Open the sysctl configuration file /etc/sysctl.conf using a text editor with root privileges: bash
Add the following line to the end of the file:
Save and close the file
To apply the changes, either reboot your system or run the following command to reload the sysctl settings:
If port 9002 is used by another service running on the server, it can be changed in the ‘start.sh’ script before execution
Port format: “Global port:Local port”
Using your favourite text editor, change the ‘Global ports’ to any available and accessible port, also update the same port in the ‘ES_PORT’ attribute.
Log in to the Web GUI and navigate to User> admin_user ⚙️>Password, enter ‘admin’ as the current password and set a new password for the admin user.
If port 5601 is used by another service running on the server, it can be changed in the ‘start.sh’ script before execution
also if the ES port was changed, the same can be edited here with the ES node IP.
Execute the ‘stop.sh’ script to stop & delete Arkime and EC docker containers, the script will not delete the data & es_data folder and the stored PCAPs.
Execute the ‘stop.sh’ script to stop & delete Kibana docker containers
OPBNOS download link -
OPBNOS configuration guide -
Arkime installation script -
Aviz support portal -
Arkime official website -
Download the Arkime installation scripts from here
Copy the tar to the Arkime server and extract using the below command
Move to the extracted folder
Add permission to execute ‘start.sh’ and ‘stop.sh’ scripts
Execute the ‘start.sh’ script, the script will perform the following actions
Start Local ES storage node on port 9200
Setup directories for PCAP and Log capture
Ask the user for Interfaces to capture data on
Start the Arkime container
Arkime uses Elasticsearch(ES) for indexing and searching, So ES must be installed before starting Arkime.
Open URL http://<arkime-server-ip>:8005/ from your favourite browser and enter the below credentials
User: admin
Password: admin
This section describes the ports that need to be opened, software and hardware requirements, along with theoretical calculations for storage scaling requirements.
Customer Firewall Configuration
Note: If users want to modify the above-provided ports to run on non-default ports, please refer here to make use of docker port forwarding:
Browser Requirements: Chrome, Safari
Software Requirements
Ubuntu 22.04
Docker needs to be installed.
python3 for running helper scripts.
The following installation scripts assume static IP addresses have been assigned
to the hosts that run the docker containers, so having the IP address list of the
hosts would be helpful.
Make sure the capture interface for Arkime is in UP state
ElasticSearch
9200
Arkime
8005
Kibana
5601
HTTP
80
SSH/ SCP
22
TCP connection for local to remote ES cluster
9300
