= Monitoring Netflow Using nfdump/nfsen = You will install nfdump and nfsen in this hands-on. == install nfdump == First install dependancies {{{ $ sudo apt-get install build-essential autoconf $ sudo apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev \ libmailtools-perl bison flex }}} Now proceed to download and build. Note that only the last step (make install) has to be done as root. {{{ $ cd $ wget http://www.ws.nsrc.org/downloads/nfdump-1.6.13.tar.gz $ tar xvzf nfdump-1.6.13.tar.gz $ cd nfdump-1.6.13 $ ./configure --help # optional, shows the build settings available $ ./configure --enable-nfprofile --enable-nftrack --enable-sflow $ make $ sudo make install }}} == Router Configuration == == Testing nfcapd/sfcapd and nfdump == If your institutes access router uses netflow you shloud use nfcapd. If it uses sflow you should use sfcapd. You can find your router's flow expoter from this [wiki:netmon2017flowtype table] === For a netflow router === $ mkdir /tmp/nfcap-test $ nfcapd -E -p 9001 -l /tmp/nfcap-test ... after a while, a series of flows should be dumped on your screen. Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test $ ls -l /tmp/nfcap-test You should see one or more files called nfcapd.
Process the file(s) with nfdump: nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz | less nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes === For a slow router === $ mkdir /tmp/sfcap-test $ sfcapd -E -p 9001 -l /tmp/sfcap-test ... after a while, a series of flows should be dumped on your screen. Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test $ ls -l /tmp/sfcap-test You should see one or more files called nfcapd.
Process the file(s) with nfdump: nfdump -r /tmp/sfcap-test/sfcapd.201Ywwxxyyzz | less nfdump -r /tmp/sfcap-test/sfcapd.201Ywwxxyyzz -s srcip/bytes == Installing and setting up NfSen == Download and compile nfsen. {{{ $ cd $ wget http://www.ws.nsrc.org/downloads/nfsen-1.3.6p1.tar.gz $ tar xvzf nfsen-1.3.6p1.tar.gz $ cd nfsen-1.3.6p1 $ perl -MCPAN -e 'install Socket6' $ cd etc $ cp nfsen-dist.conf nfsen.conf $ vi nfsen.conf }}} Set the $BASEDIR variable {{{ $BASEDIR = "/var/nfsen"; }}} Set the users appropriately so that Apache can access files: {{{ $WWWUSER = 'www-data'; $WWWGROUP = 'www-data'; }}} Set the buffer size to something small, so that we see data quickly. You would not do this on a production system. # Receive buffer size for nfcapd - see man page nfcapd(1) {{{ $BUFFLEN = 2000; }}} Find the %sources definition, and change it to: '''For a netflow router''' {{{ %sources=( 'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'}, ); }}} '''For a sflow router''' {{{ %sources=( 'accessrtr' => {'port'=>'9001','col'=>'#0000ff','type'=>'sflow'}, ); }}} (substitute your group's router for rtrX, and either remove or comment out the existing sample sources). Change the HTMLDIR from /var/www/nfsen/ to /var/www/html/nfsen/ {{{ $HTMLDIR = "/var/www/html/nfsen/"; }}} Now save and exit from the file. Deafault rrd tool version for nfsen is 1.5 but the latest version 1.6 therefore a slight configuration is needed {{{ vi libexec/NfSenRRD.pm }}} Find the rrd tool setting from 1.5 to '''1.6''' Create the netflow user on the system {{{ $ sudo useradd -d /var/nfsen -G www-data -m -s /bin/false netflow }}} Install NfSen and start it Change directory back to just inside the source directory: {{{ $ cd $ cd nfsen-1.3.6p1 }}} Now, finally, we install: {{{ $ sudo perl install.pl etc/nfsen.conf }}} Press ENTER when prompted for the path to Perl. Install init script In order to have nfsen start and stop automatically when the system starts, add a link to the init.d diretory pointing to the nfsen startup script: {{{ $ sudo ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen $ sudo update-rc.d nfsen defaults 20 }}} Start NfSen {{{ $ sudo service nfsen start }}} View flows via the web: You can find the nfsen page here: '''http:///nfsen/nfsen.php You may see a message such as: '''Frontend - Backend version mismatch!''' This will go away if you reload the page, it's not a problem.