Advanced Registry Operations Curriculum

NetFlow - NFSen - Exercise

0. If not already installed, install the following packages:

# apt-get install rrdtool
# apt-get install librrds-perl
# apt-get install librrdp-perl


1. Install nfdump

[Nfdump is the netflow flow collector]


# export INIT_VERBOSE=yes
# export VERBOSE=yes
# apt-get install nfdump 

	(the lines with VERBOSE are needed to work around a bug in the
	package installation script)

---
Installed tools are :
nfcapd nfdump nfreplay nfexpire nftest nfgen
---


NFSen

1. Now get nfsen

$ wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.2/nfsen-1.3.2.tar.gz

2. Setting up NfSen

$ tar -xzf nfsen-1.3.2.tar.gz
$ cd nfsen-1.3.2
$ cd etc
# cp nfsen-dist.conf nfsen.conf

Edit the nfsen.conf, and make the following changes:

- set the basedir variable

$BASEDIR = "/var/nfsen";

- set the path for the PREFIX where to find the nfdump tools:

# nfdump tools path
$PREFIX = '/usr/bin';

- set the users:

$USER = "netflow"
$WWWUSER = 'www-data';
$WWWGROUP = 'www-data';

- set the buffer size to something small, so we see data quickly

# Receive buffer size for nfcapd - see man page nfcapd(1)
$BUFFLEN = 2000;

- find the %sources definition, and change it to:

%sources = (
	'tldX-rtr'     => { 'port'    => '2002', 'col' => '#ff0000' },
);

(remember to replace 'X' with the number of your TLD)

- save the file, and exit.

3. Create a netflow user on the system. 

# useradd -d /var/netflow -G www-data -m -s /bin/false netflow

4. Initiating nfsen

# cd ..
# perl install.pl etc/nfsen.conf

[press 'return' when asked where perl is located ]

5. Starting Nfsen

# cd /var/nfsen/bin
# ./nfsen start

(You can add the nfsen startup script to /etc/init.d/rc.local or somewhere similar to start it at bootup.)


6. Now we need to configure your router to export NetFlow flows.

Using the slides on NetFlow (slides 36 and following), configure
the IOS on your TLD router to export flows to your NOC, on port 2002
(as you configured in point 2.

Once you have done this, it will take some time for data to show up
in NFsen...

Watch your browser at http://your-IP/nfsen/nfsen.php

7. Add more sources:

Go back to where you extracted your nfsen distribution.

# cd nfsen-1.3.2
# vi etc/nfsen.conf

%sources = (
	'tldX-rtr'     => { 'port'    => '2002', 'col' => '#ff0000' },
	'tldY-rtr'     => { 'port'    => '2003', 'col' => '#ff0000' },
);

Save & close.

Now, ask your neighbor to add a NetFlow export destination -- by default
the IOS software supports 2 -- pointing at your NOC, on port 2003.

Once you have double checked with your neighbor that they have configured
netflow export, check with tcpdump on your NOC that you are seeing packets
on port 2003:

# tcpdump -n port 2003 and udp
...
^C


Finally, reconfigure and restart NFSen:

# perl install.pl etc/nfsen.conf

[press return when asked]

8. Start NFsen

# /var/nfsen/bin/nfsen stop
# /var/nfsen/bin/nfsen start

9. Check it out!

http://your IP/nfsen/nfsen.php