Changes between Initial Version and Version 1 of NspwUprouse/Agenda/netflow


Ignore:
Timestamp:
Sep 12, 2021, 5:37:29 PM (3 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NspwUprouse/Agenda/netflow

    v1 v1  
     1= Monitoring Netflow Using nfdump/nfsen =
     2You will install nfdump and nfsen on ubuntu 20.04 in this hands-on.
     3
     4
     5== install nfdump ==
     6
     7First, install dependencies
     8{{{
     9$ sudo apt-get install build-essential autoconf
     10$ sudo apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev \
     11       libmailtools-perl bison flex
     12}}}
     13
     14You might get a box asking '''Make /etc/mrtg.cnf owned by and readable only by root?''' select '''yes'''.
     15
     16Now proceed to download and build. Note that only the last step (make install) has to be done as root.
     17{{{
     18$ cd
     19$ wget http://192.248.4.49/NetMon/nfdump-1.6.13.tar.gz
     20$ tar xvzf nfdump-1.6.13.tar.gz
     21$ cd nfdump-1.6.13
     22$ ./configure --help      # optional, shows the build settings available
     23$ ./configure --enable-nfprofile --enable-nftrack --enable-sflow
     24$ make
     25$ sudo make install
     26}}}
     27
     28== Router Configuration ==
     29
     30'''Note: This part is already done for you.'''
     31
     32=== Cisco Router ===
     33
     34Let's configure Netflow on a Cisco router
     35 - Log in to the router and go to configuration mode
     36{{{
     37Router>enable
     38Password:
     39#configure terminal
     40Router(config)#
     41}}}
     42
     43 - Create an exporter profile with the IP Address of the server where you have to configure the nfdump and the transport port.
     44{{{
     45flow exporter EXPORTER-1
     46 description Export to nfdump
     47 destination <IP Address>
     48 transport udp <port>
     49 template data timeout 60
     50}}}
     51
     52 - Define the flow monitor for IPv4 and call the created exporter.
     53{{{
     54flow monitor FLOW-MONITOR-V4
     55 exporter EXPORTER-1
     56 record netflow ipv4 original-input
     57 cache timeout active 300
     58}}}
     59
     60 - Define the flow monitor for IPv6 and call the created exporter.
     61{{{
     62flow monitor FLOW-MONITOR-V6
     63 exporter EXPORTER-1
     64 record netflow ipv6 original-input
     65 cache timeout active 300
     66}}}
     67
     68 - Add the monitor profile to the Interface that exports the flows
     69{{{
     70interface FastEthernet 0/0
     71 ip flow monitor FLOW-MONITOR-V4 input
     72 ip flow monitor FLOW-MONITOR-V4 output
     73  ipv6 flow monitor FLOW-MONITOR-V6 input
     74  ipv6 flow monitor FLOW-MONITOR-V6 output
     75}}}
     76
     77 - Save the configuration
     78
     79=== HP Router ===
     80 
     81 - Login to the router and go to Configure mode
     82{{{
     83<Router>system-view
     84[Router]
     85}}}
     86
     87 - Create the sflow agent and sflow source IP. (Interface IP of the interface that exports the flow)
     88{{{
     89sflow agent ip <IP Address>
     90sflow source ip <IP Address>
     91}}}
     92
     93 - Define the sflow collector with the nfdump server IP and transport port.
     94{{{
     95sflow collector 1 ip <IP Address> port <Port> description "Export to nfdump"
     96}}}
     97
     98 - Call the sflow collector from the interface and define other parameters.
     99{{{
     100interface GigabitEthernet0/0
     101 sflow flow collector 1
     102 sflow sampling-rate 4000
     103 sflow counter collector 1
     104 sflow counter interval 120
     105}}}
     106
     107 - Save the configuration
     108
     109== Testing nfcapd/sfcapd and nfdump ==
     110If your institute's access router uses netflow you should use nfcapd. If it uses sflow you should use sfcapd.
     111
     112=== For a netflow router ===
     113{{{
     114$ mkdir /tmp/nfcap-test
     115$ nfcapd -E  -p 9001 -l /tmp/nfcap-test
     116}}}
     117
     118... after a while, a series of flows should be dumped on your screen.
     119
     120Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test
     121{{{
     122$ ls -l /tmp/nfcap-test
     123}}}
     124
     125You should see one or more files called nfcapd.<YEAR><MON><DAY><HR><MIN>
     126
     127Process the file(s) with nfdump:
     128{{{
     129nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz | less
     130nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes
     131}}}
     132w,x,y,z indicate year, month, day and time.
     133
     134=== For a sflow router ===
     135{{{
     136$ mkdir /tmp/sfcap-test
     137$ sfcapd -E  -p 9001 -l /tmp/sfcap-test
     138}}}
     139
     140... after a while, a series of flows should be dumped on your screen.
     141
     142Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test
     143{{{
     144$ ls -l /tmp/sfcap-test
     145}}}
     146
     147You should see one or more files called sfcapd.<YEAR><MON><DAY><HR><MIN>
     148
     149Process the file(s) with nfdump:
     150
     151{{{
     152nfdump -r /tmp/sfcap-test/nfcapd.201Ywwxxyyzz | less
     153nfdump -r /tmp/sfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes
     154}}}
     155w,x,y,z indicate year, month, day and time.
     156
     157== Installing and setting up NfSen ==
     158
     159Download and compile nfsen.
     160{{{
     161$ cd
     162$ wget http://wget http://192.248.4.49/NetMon/nfsen-1.3.6p1.tar.gz
     163$ tar xvzf nfsen-1.3.6p1.tar.gz
     164$ cd nfsen-1.3.6p1
     165$ perl -MCPAN -e 'install Socket6'
     166Would you like to configure as much as possible automatically? [yes]
     167What approach do you want? (Choose local::lib, sudo or manual)
     168[local::lib]
     169$ cd etc
     170$ cp nfsen-dist.conf nfsen.conf
     171$ vi nfsen.conf
     172}}}
     173
     174Set the $BASEDIR variable
     175{{{
     176$BASEDIR = "/var/nfsen";
     177}}}
     178
     179Set the users appropriately so that Apache can access files:
     180{{{
     181$WWWUSER = 'www-data';
     182$WWWGROUP = 'www-data';
     183}}}
     184
     185Set the buffer size to something small, so that we see data quickly. You would not do this on a production system.
     186
     187# Receive buffer size for nfcapd - see man page nfcapd(1)
     188{{{
     189$BUFFLEN = 2000;
     190}}}
     191
     192Find the %sources definition, and change it to:
     193
     194'''For a netflow router'''
     195{{{
     196%sources=(
     197'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'},
     198 );               
     199}}}
     200
     201'''For a sflow router'''
     202{{{
     203%sources=(
     204'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'sflow'},
     205 );               
     206}}}
     207
     208(substitute your group's router for accessrtr, and either remove or comment out the existing sample sources).
     209
     210Change the HTMLDIR from /var/www/nfsen/ to /var/www/html/nfsen/
     211{{{
     212$HTMLDIR    = "/var/www/html/nfsen/";
     213}}}
     214Now save and exit from the file.
     215
     216The default rrd tool version for nfsen is 1.5 but the latest version 1.6 therefore a slight configuration is needed
     217{{{
     218cd
     219vi nfsen-1.3.6p1/libexec/NfSenRRD.pm
     220}}}
     221
     222Find the following line'
     223{{{
     224if ( $rrd_version >= 1.2 && $rrd_version < 1.5 )
     225}}}
     226
     227change it to,
     228{{{
     229if ( $rrd_version >= 1.2 && $rrd_version < 1.6 )
     230}}}
     231
     232Create the netflow user on the system
     233{{{
     234$ sudo useradd -d /var/nfsen -G www-data -m -s /bin/false netflow
     235}}}
     236
     237Install NfSen and start it
     238
     239Change directory back to just inside the source directory:
     240{{{
     241$ cd
     242$ cd nfsen-1.3.6p1
     243}}}
     244
     245Now, finally, we install:
     246{{{
     247$ sudo perl install.pl etc/nfsen.conf
     248}}}
     249
     250Press ENTER when prompted for the path to Perl.
     251
     252Install init script
     253
     254In order to have nfsen start and stop automatically when the system starts, add a link to the init.d directory pointing to the nfsen startup script:
     255{{{
     256$ sudo ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen
     257$ sudo update-rc.d nfsen defaults 20
     258}}}
     259
     260Start NfSen
     261{{{
     262$ sudo service nfsen start
     263}}}
     264
     265View flows via the web:
     266
     267You can find the nfsen page here:
     268
     269'''http://<your IP address>/nfsen/nfsen.php
     270
     271You may see a message such as:
     272
     273'''Frontend - Backend version mismatch!'''
     274
     275This will go away if you reload the page, it's not a problem.
     276
     277== Using NfSen to identify top talkers ==
     278
     279Now let's use NfSen to explore the traffic flows in the network, with the aim of finding out who was been downloading the most data. Look carefully at the output generated at each step - ask an instructor to explain if you don't understand what you see.
     280
     281 - Navigate to the Detail page
     282
     283 - Select the time window. to do that change from "Single Timeslot" to '''Time Window''. Once you have done this, the vertical selector arrow and line in the graph window can be split.
     284
     285[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns1.png)]]
     286
     287 - Pull the left half of the arrow to the left and the right half to the right, to select the time period of interest. Then you should see some summary statistics appear in the table below the graph, for the time period you have selected
     288
     289[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns2.png)]]
     290
     291 - List individual flows by Selecting "List Flows", make sure none of the "Aggregate" boxes are checked, and then click process. This will display some flows at the beginning of the time period. Click '''process'''. You will see the top flows below.
     292
     293[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns3.png)]]
     294
     295 - By selecting "bi-directional" you can get NfSen to associate the inbound and outbound flows into a single line
     296
     297 - If we know which host we want to examine, we can apply a filter to show only those flows to and from that host. Do this by entering "host x.x.x.x" in the filter box, and then pressing the process again. (Replace x.x.x.x with the address of one of the host PC)
     298
     299[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns4.png)]]
     300
     301 - The next thing we can do is to get NfSen to sort the flows by a number of bytes. Remove any filter from the Filter box; select "Stat TopN", stat "Flow Records", order by "Bytes". Ensure all the aggregate boxes are unchecked, then press the process
     302
     303[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns5.png)]]
     304 
     305 - NFsen can show you inbound traffic grouped by receiver IP address. which means showing the total amount of traffic delivered to that host. To do this, Stat "DST IP Address", order by "bytes". Then apply a filter that shows only traffic to your group's network: "dst net 192.248.6.0/24". You can do the same with a single host.
     306
     307[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netmon2017netflow/ns6.png)]]
     308
     309 - By clicking on an IP address, you will get some information from reverse DNS and whois.