Pktvisor: Open source tool for network visibility
The importance of applications and digital services has skyrocketed in 2020. Connectivity and resilience are imperative to keeping people connected and business moving forward. Visibility into network traffic, especially in distributed edge environments and with malicious attacks on the rise, is a critical part of ensuring uptime and performance.
“NS1 created pktvisor to address our need for more visibility across our global anycast network,” said Shannon Weyrick, VP of architecture at NS1. “By efficiently summarizing and collecting key metrics at all of our edge locations we gain a deep understanding of traffic patterns in real time, enabling rich visualization and fast automation which further increase our resiliency and performance. We are big users of and believers in open source software. As this tool will benefit other organizations leveraging distributed edge architectures, we’ve made it open and we invite the developer community to help drive future updates and innovation.”
More about pktvisor
Pktvisor summarizes network traffic in real time directly on edge nodes with Apache data sketches. The summary information may be visualized locally via the included CLI UI, and simultaneously centrally collected via HTTP to your time series database of choice, to drive global visualizations and automation.
- Packet counts and rates (w/percentiles), breakdown by ingress/egress, protocol
- DNS counts and rates, breakdown by protocol, response code
- Cardinality: Source and destination IP, DNS Qname
- DNS transaction timings (w/percentiles)
- Top 10 heavy hitters for IPs and ports; DNS Qnames, Qtypes, Result Codes; slow DNS transactions, NX, SRVFAIL, REFUSED Qnames; and GeoIP and ASN
The metrics pktvisor provides can help network and security teams by supplementing existing metrics to help understand traffic patterns, identify attacks, and gather information on how to mitigate them.
Available as a Docker container, it is easy to install and has low network and storage requirements. Due to its summarizing design, the amount of data collected is a function of the number of hosts being collected, not a function of traffic rates, so spikes or even DDoS attacks will not affect downstream collection systems.