Changes between Version 3 and Version 4 of netmon2017netflow
- Timestamp:
- Nov 15, 2017, 4:28:19 PM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
netmon2017netflow
v3 v4 1 1 = Monitoring Netflow Using nfdump/nfsen = 2 You will install nfdump and nfsen in this hands-on. 2 3 3 $ sudo apt-get update 4 == install nfdump == 5 6 First install dependancies 7 {{{ 4 8 $ sudo apt-get install build-essential autoconf 5 9 $ sudo apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev \ 6 libmailtools-perl php5 bison flex 10 libmailtools-perl bison flex 11 }}} 7 12 8 13 Now proceed to download and build. Note that only the last step (make install) has to be done as root. 9 14 {{{ 10 15 $ cd 11 16 $ wget http://www.ws.nsrc.org/downloads/nfdump-1.6.13.tar.gz … … 13 18 $ cd nfdump-1.6.13 14 19 $ ./configure --help # optional, shows the build settings available 15 $ ./configure --enable-nfprofile --enable-nftrack 20 $ ./configure --enable-nfprofile --enable-nftrack --enable-sflow 16 21 $ make 17 22 $ sudo make install 23 }}} 18 24 25 == Router Configuration == 19 26 20 Installing and setting up NfSen 27 == Testing nfcapd/sfcapd and nfdump == 28 If your institutes access router uses netflow you shloud use nfcapd. If it uses sflow you should use sfcapd. You can find your router's flow expoter from this [wiki:netmon2017flowtype table] 21 29 22 Download and compile. The patch is to fix a problem reported at http://sourceforge.net/p/nfsen/bugs/31/ 30 === For a netflow router === 31 $ mkdir /tmp/nfcap-test 32 $ nfcapd -E -p 9001 -l /tmp/nfcap-test 33 ... after a while, a series of flows should be dumped on your screen. 23 34 35 Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test 36 37 $ ls -l /tmp/nfcap-test 38 You should see one or more files called nfcapd.<YEAR><MON><DAY><HR><MIN> 39 40 Process the file(s) with nfdump: 41 42 nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz | less 43 nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes 44 45 === For a slow router === 46 $ mkdir /tmp/sfcap-test 47 $ sfcapd -E -p 9001 -l /tmp/sfcap-test 48 ... after a while, a series of flows should be dumped on your screen. 49 50 Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test 51 52 $ ls -l /tmp/sfcap-test 53 You should see one or more files called nfcapd.<YEAR><MON><DAY><HR><MIN> 54 55 Process the file(s) with nfdump: 56 57 nfdump -r /tmp/sfcap-test/sfcapd.201Ywwxxyyzz | less 58 nfdump -r /tmp/sfcap-test/sfcapd.201Ywwxxyyzz -s srcip/bytes 59 60 == Installing and setting up NfSen == 61 62 Download and compile nfsen. 63 {{{ 24 64 $ cd 25 65 $ wget http://www.ws.nsrc.org/downloads/nfsen-1.3.6p1.tar.gz 26 66 $ tar xvzf nfsen-1.3.6p1.tar.gz 27 67 $ cd nfsen-1.3.6p1 28 $ wget http://www.ws.nsrc.org/downloads/nfsen-socket6.patch 29 $ patch -p0 < nfsen-socket6.patch 68 $ perl -MCPAN -e 'install Socket6' 30 69 $ cd etc 31 70 $ cp nfsen-dist.conf nfsen.conf 32 $ editor nfsen.conf 71 $ vi nfsen.conf 72 }}} 33 73 34 74 Set the $BASEDIR variable 35 75 {{{ 36 76 $BASEDIR = "/var/nfsen"; 77 }}} 37 78 38 79 Set the users appropriately so that Apache can access files: 39 80 {{{ 40 81 $WWWUSER = 'www-data'; 41 82 $WWWGROUP = 'www-data'; 83 }}} 42 84 43 85 Set the buffer size to something small, so that we see data quickly. You would not do this on a production system. 44 86 45 87 # Receive buffer size for nfcapd - see man page nfcapd(1) 88 {{{ 46 89 $BUFFLEN = 2000; 90 }}} 47 91 48 92 Find the %sources definition, and change it to: 49 93 94 '''For a netflow router''' 95 {{{ 50 96 %sources=( 51 ' rtrX' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'},97 'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'}, 52 98 ); 99 }}} 100 101 '''For a sflow router''' 102 {{{ 103 %sources=( 104 'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'sflow'}, 105 ); 106 }}} 53 107 54 108 (substitute your group's router for rtrX, and either remove or comment out the existing sample sources). 55 109 56 110 Change the HTMLDIR from /var/www/nfsen/ to /var/www/html/nfsen/ 111 {{{ 112 $HTMLDIR = "/var/www/html/nfsen/"; 113 }}} 114 Now save and exit from the file. 57 115 58 $HTMLDIR = "/var/www/html/nfsen/"; 116 Deafault rrd tool version for nfsen is 1.5 but the latest version 1.6 therefore a slight configuration is needed 117 {{{ 118 vi libexec/NfSenRRD.pm 119 }}} 59 120 60 Now save and exit from the file. 121 Find the rrd tool setting from 1.5 to '''1.6''' 122 61 123 Create the netflow user on the system 62 124 {{{ 63 125 $ sudo useradd -d /var/nfsen -G www-data -m -s /bin/false netflow 126 }}} 64 127 65 128 Install NfSen and start it 66 129 67 130 Change directory back to just inside the source directory: 68 131 {{{ 69 132 $ cd 70 133 $ cd nfsen-1.3.6p1 134 }}} 71 135 72 136 Now, finally, we install: 73 137 {{{ 74 138 $ sudo perl install.pl etc/nfsen.conf 139 }}} 75 140 76 141 Press ENTER when prompted for the path to Perl. 142 77 143 Install init script 78 144 79 145 In order to have nfsen start and stop automatically when the system starts, add a link to the init.d diretory pointing to the nfsen startup script: 80 146 {{{ 81 147 $ sudo ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen 82 148 $ sudo update-rc.d nfsen defaults 20 149 }}} 83 150 84 151 Start NfSen 85 152 {{{ 86 153 $ sudo service nfsen start 87 88 Check that nfcapd processes have been started: 89 90 $ ps auxwww | grep nfcapd 154 }}} 91 155 92 156 View flows via the web: … … 94 158 You can find the nfsen page here: 95 159 96 http://pcX.ws.nsrc.org/nfsen/nfsen.php 97 98 If you are working in pairs, then both of you should point your web browser to the PC which is receiving flows. 160 '''http://<your IP address>/nfsen/nfsen.php 99 161 100 162 You may see a message such as: 101 163 102 Frontend - Backend version mismatch! 164 '''Frontend - Backend version mismatch!''' 103 165 104 166 This will go away if you reload the page, it's not a problem. 105 167 106 Done! Move on to the third lab, exercise3-nfsen-top-talkers107 NOTES108 Adding sources109 110 If you had multiple routers in your network all sending flows to the same collector, you can either configure them to send to different ports on the collector, or you can tell nfsen the source IP address of each router. This allows nfsen to show distinct data from each source.111 112 DON'T DO THIS NOW as you only have a single router, but if you needed to, you would do it as follows:113 114 edit /var/nfsen/etc/nfsen.conf, and add the source(s), for example:115 116 %sources = (117 'rtrX' => { 'port' => '9001', 'col' => '#0000ff', 'type' => 'netflow' },118 'rtrY' => { 'port' => '9002', 'col' => '#00ff00', 'type' => 'netflow' },119 'gw' => { 'port' => '9996', 'col' => '#ff0000', 'type' => 'netflow' },120 );121 122 Reconfigure NfSen.123 124 You will need to run this every time you modify /var/nfsen/etc/nfsen.conf:125 126 $ sudo /etc/init.d/nfsen reconfig127 128 You should see:129 130 New sources to configure : gw rtrY131 Continue? [y/n] y132 133 Add source 'gw'134 Add source 'rtrY'135 136 Start/restart collector on port '9002' for (rtr2)[pid]137 Start/restart collector on port '9996' for (gw)[pid]138 139 Restart nfsend:[pid]140 141 perl -MCPAN -e 'install Socket6'142 168 vi libexec/NfSenRRD.pm 143 169 1.5 to 1.6
