Home
Vermont (VERsatile MONitoring Toolkit) is an open-source software toolkit for the creation and processing of network flow data, based on monitored Internet packet data. The IETF standard IPFIX (IP Flow Information eXport) defines the formats and procedures for handling these flows. Furthermore, the Netflow.v9 and the PSAMP (Packet Sampling) standards are supported. Vermont runs on Linux and derivatives of BSD. It can receive and process raw packets via PCAP (up to 10 GBit/s) as well as IPFIX/Netflow.v9 flow data.
This is a fork of Vermont that focuses on the aggregation of HTTP related information into IPFIX in high-speed networks. The used HTTP related IE are standardized and registered with IANA.
This fork of Vermont is developed by the Computer and Communications Group (ccs-labs.org) from the University of Paderborn. Legacy Vermont has been developed by the networking groups of FAU Erlangen (Computer Networks and Communication Systems) and TU München (Network Architectures and Services, formerly located in Tübingen) as part of the HISTORY Project.
Presently, the following modules are available:
- Packet capturers which read raw packets from an interface or a file using PCAP. The libzeroOberserver module allows 10Gbit/s capture rates using Ntop's PF_Ring drivers.
- Sampling algorithms and filters for raw packet selection
- Aggregators for generating customizable flow records from raw packets including aggregating HTTP related IPFIX IEs
- Exporters for exporting flow records or packet reports to a remote collector using IPFIX over UDP or SCTP (with optional DTLS).
- Collectors for receiving Netflow.v9, IPFIX, and PSAMP data via UDP and SCTP (with optional DTLS)
- Analyzers for traffic examination and anomaly detection reporting events in IDMEF
- Signature-based IPFIX Flows intrusion detection using Snort rules
Modules can be linked in almost any combination: only the input and output data type of linked modules need to be compatible. Modules may also have more than one succeeding and preceding module. The following figure shows an example for an arrangement of several modules. In this configuration, Vermont captures packets using PCAP, filters these packets and exports the selected records. A second branch aggregates flows, which, in turn, are exported using and analyzed in a portscan detector, respectively. The whole application framework is multithreaded and each module may use dedicated threads for data processing. The example also shows a queue between two modules to buffer elements.
Vermont can be run on any Linux based system. For more information please see the Download Page and follow the instructions here.