Changes between Version 1 and Version 2 of netmon2017netflow


Ignore:
Timestamp:
Nov 15, 2017, 9:31:53 AM (7 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • netmon2017netflow

    v1 v2  
    11= Monitoring Netflow Using nfdump/nfsen =
     2
     3$ sudo apt-get update
     4$ sudo apt-get install build-essential autoconf
     5$ sudo apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev \
     6       libmailtools-perl php5 bison flex
     7
     8Now proceed to download and build. Note that only the last step (make install) has to be done as root.
     9
     10$ cd
     11$ wget http://www.ws.nsrc.org/downloads/nfdump-1.6.13.tar.gz
     12$ tar xvzf nfdump-1.6.13.tar.gz
     13$ cd nfdump-1.6.13
     14$ ./configure --help      # optional, shows the build settings available
     15$ ./configure --enable-nfprofile --enable-nftrack
     16$ make
     17$ sudo make install
     18
     19Testing nfcapd and nfdump
     20
     21$ mkdir /tmp/nfcap-test
     22$ nfcapd -E  -p 9001 -l /tmp/nfcap-test
     23
     24... after a while, a series of flows should be dumped on your screen.
     25
     26Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test
     27
     28$ ls -l /tmp/nfcap-test
     29
     30You should see one or more files called nfcapd.<YEAR><MON><DAY><HR><MIN>
     31
     32Process the file(s) with nfdump:
     33
     34nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz | less
     35nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes
     36
     37You should get some useful information :)
     38Installing and setting up NfSen
     39
     40Download and compile. The patch is to fix a problem reported at http://sourceforge.net/p/nfsen/bugs/31/
     41
     42$ cd
     43$ wget http://www.ws.nsrc.org/downloads/nfsen-1.3.6p1.tar.gz
     44$ tar xvzf nfsen-1.3.6p1.tar.gz
     45$ cd nfsen-1.3.6p1
     46$ wget http://www.ws.nsrc.org/downloads/nfsen-socket6.patch
     47$ patch -p0 < nfsen-socket6.patch
     48$ cd etc
     49$ cp nfsen-dist.conf nfsen.conf
     50$ editor nfsen.conf
     51
     52Set the $BASEDIR variable
     53
     54$BASEDIR = "/var/nfsen";
     55
     56Set the users appropriately so that Apache can access files:
     57
     58$WWWUSER = 'www-data';
     59$WWWGROUP = 'www-data';
     60
     61Set the buffer size to something small, so that we see data quickly. You would not do this on a production system.
     62
     63# Receive buffer size for nfcapd - see man page nfcapd(1)
     64$BUFFLEN = 2000;
     65
     66Find the %sources definition, and change it to:
     67
     68%sources=(
     69'rtrX' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'},
     70 );               
     71
     72(substitute your group's router for rtrX, and either remove or comment out the existing sample sources).
     73
     74Change the HTMLDIR from /var/www/nfsen/ to /var/www/html/nfsen/
     75
     76$HTMLDIR    = "/var/www/html/nfsen/";
     77
     78Now save and exit from the file.
     79Create the netflow user on the system
     80
     81$ sudo useradd -d /var/nfsen -G www-data -m -s /bin/false netflow
     82
     83Install NfSen and start it
     84
     85Change directory back to just inside the source directory:
     86
     87$ cd
     88$ cd nfsen-1.3.6p1
     89
     90Now, finally, we install:
     91
     92$ sudo perl install.pl etc/nfsen.conf
     93
     94Press ENTER when prompted for the path to Perl.
     95Install init script
     96
     97In order to have nfsen start and stop automatically when the system starts, add a link to the init.d diretory pointing to the nfsen startup script:
     98
     99$ sudo ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen
     100$ sudo update-rc.d nfsen defaults 20
     101
     102Start NfSen
     103
     104$ sudo service nfsen start
     105
     106Check that nfcapd processes have been started:
     107
     108$ ps auxwww | grep nfcapd
     109
     110View flows via the web:
     111
     112You can find the nfsen page here:
     113
     114http://pcX.ws.nsrc.org/nfsen/nfsen.php
     115
     116If you are working in pairs, then both of you should point your web browser to the PC which is receiving flows.
     117
     118You may see a message such as:
     119
     120Frontend - Backend version mismatch!
     121
     122This will go away if you reload the page, it's not a problem.
     123
     124Done! Move on to the third lab, exercise3-nfsen-top-talkers
     125NOTES
     126Adding sources
     127
     128If you had multiple routers in your network all sending flows to the same collector, you can either configure them to send to different ports on the collector, or you can tell nfsen the source IP address of each router. This allows nfsen to show distinct data from each source.
     129
     130DON'T DO THIS NOW as you only have a single router, but if you needed to, you would do it as follows:
     131
     132    edit /var/nfsen/etc/nfsen.conf, and add the source(s), for example:
     133
     134%sources = (
     135    'rtrX'  => { 'port' => '9001', 'col' => '#0000ff', 'type' => 'netflow' },
     136    'rtrY'  => { 'port' => '9002', 'col' => '#00ff00', 'type' => 'netflow' },
     137    'gw'    => { 'port' => '9996', 'col' => '#ff0000', 'type' => 'netflow' },
     138);
     139
     140    Reconfigure NfSen.
     141
     142You will need to run this every time you modify /var/nfsen/etc/nfsen.conf:
     143
     144$ sudo /etc/init.d/nfsen reconfig
     145
     146You should see:
     147
     148New sources to configure : gw rtrY
     149Continue? [y/n] y
     150
     151Add source 'gw'
     152Add source 'rtrY'
     153
     154Start/restart collector on port '9002' for (rtr2)[pid]
     155Start/restart collector on port '9996' for (gw)[pid]
     156
     157Restart nfsend:[pid]
     158
     159perl -MCPAN -e 'install Socket6'
     160vi libexec/NfSenRRD.pm
     1611.5 to 1.6