NFSen & Cisco NetFlow Exercise 1. Install nfdump [Nfdump is the netflow flow collector] NOC-TLDX> sudo apt-get install nfdump Installed tools are : nfcapd nfdump nfreplay nfexpire nftest nfgen 2. Install RRD (round robin database) NOC-TLDX> sudo apt-get install rrdtool NOC-TLDX> sudo apt-get install librrdp-perl librrds-perl 3. Install PHP NOC-TLDX> sudo apt-get install php5 NOC-TLDX> sudo /etc/init.d/apache2 restart 4. Now get nfsen - there is no Ubuntu package yet... NOC-TLDX> cd /tmp NOC-TLDX> wget http://192.168.75.20/nfsen-1.3.2.tar.gz Setting up NfSen NOC-TLDX> tar -xzf nfsen-1.3.2.tar.gz NOC-TLDX> cd /tmp/nfsen-1.3.2/etc Edit the nfsen-dist.conf: NOC-TLDX> pico nfsen-dist.conf - set the basedir variable $BASEDIR = "/var/nfsen"; - set the users: $USER = "netflow" $WWWUSER = 'www-data'; $WWWGROUP = 'www-data'; - add the following line to the sources (between $sources = { and }; 'tldXrtr' => { 'port' => '2000', 'col' => '#0000ff' }, ** Don't forget to use your group number instead of X - set the path for the PREFIX where to find the nfdump tools: $PREFIX = '/usr/bin'; - set the buffer size to something small, so we see data quickly $BUFFLEN = 2000; ... Save and exit 5. Create a netflow user on the system. NOC-TLDX> sudo useradd -d /var/netflow -G www-data -m -s /bin/false netflow 6. Initiating nfsen NOC-TLDX> cp nfsen-dist.conf nfsen.conf NOC-TLDX> cd .. NOC-TLDX> sudo perl install.pl etc/nfsen.conf [press 'return' when asked where perl is located ] 7. Settng up your routers to generate flow data Log into your router... NOC-TLDX> ssh tldadmin@192.168.10X.1 Remember, your password is tldadmin! TLDX-RTR> en TLDX-RTR# config terminal TLDX-RTR(config)# interface FastEthernet 0/1 TLDX-RTR(config-if)# ip route-cache flow TLDX-RTR(config-if)# ip flow ingress TLDX-RTR(config-if)# ip flow egress TLDX-RTR(config-if)# CTRL-Z TLDX-RTR# config terminal TLDX-RTR(config)# ip flow-export version 5 TLDX-RTR(config)# ip flow-export destination 192.168.10x.30 2000 ** Be sure to replace the X with your group number! TLDX-RTR(config)# CTRL-Z TLDX-RTR# write memory 8. Starting Nfsen NOC-TLDX> cd /var/nfsen/bin NOC-TLDX> sudo ./nfsen start (You can add the nfsen startup script to /etc/init.d/rc.local or somewhere similar to start it at bootup.) Watch your browser at http://192.168.10x.30/nfsen/nfsen.php Note that it will take several minutes for data to appear on your graphs - you can look at the instructor NOC: http://192.168.128.30/nfsen/nfsen.php for an example of what your's will look like after 30 minutes or so...