Agenda: exercises-netflow.txt

File exercises-netflow.txt, 8.3 KB (added by admin, 8 years ago)

Line
1	Network Monitoring and Management
2
3	Configure Your Router to Export Flows
4	-------------------------------------
5
6	1. Export flows from a router
7
8	This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to
9	the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups for router 1
10	through router 6 you should choose one person to type in the commands to set up
11	router for Netflow and one PC where the Netflow exports will go.
12
13	Our router is rtr1, or 10.10.1.254 (Group 1 gateway)
14
15	Log in on the router:
16
17	# telnet 10.10.1.254
18	rtr1.ws.nsrc.org> enable
19
20	Enter the enable password
21
22	rtr1.ws.nsrc.org# configure terminal
23	rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
24	rtr1.ws.nsrc.org(config)# ip route-cache flow
25	rtr1.ws.nsrc.org(config)# exit
26
27	Repeat for FastExthernet 0/1 (and all interfaces you may have that
28	are configured)
29
30	rtr1.ws.nsrc.org# configure terminal
31	rtr1.ws.nsrc.org(config)# interface FastEthernet 0/1
32	rtr1.ws.nsrc.org(config)# ip route-cache flow
33	rtr1.ws.nsrc.org(config)# exit
34
35	rtr1.ws.nsrc.org#conf t
36	rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996
37	rtr1.ws.nsrc.org(config)# ip flow-export version 5
38	rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
39
40	This breaks up long-lived flows into 5-minute fragments. You can
41	choose any number of minutes between 1 and 60. If you leave it at
42	the default of 30 minutes your traffic reports will have spikes.
43
44	rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
45
46	This enables ifIndex persistence globally. This ensures that the
47	ifIndex values are persisted during router reboots.
48
49	Now configure how you want the ip flow top-talkers to work:
50
51	rtr1.ws.nsrc.org(config)#ip flow-top-talkers
52	rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
53	rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
54	rtr1.ws.nsrc.org(config-flow-top-talkers)#end
55
56	Now we'll verify what we've done.
57
58	rtr1.ws.nsrc.org# show ip flow export
59	rtr1.ws.nsrc.org# show ip cache flow
60
61	See your "top talkers" across your router interfaces
62
63	rtr1.ws.nsrc.org# show ip flow top-talkers
64
65	If it all looks good then write your running-config to non-volatile
66	RAM (i.e. the startup-config):
67
68	rtr1.ws.nsrc.org#wr mem
69
70	You can exit from the router now:
71
72	rtr1.ws.nsrc.org#exit
73
74	and on the machine where flows are being exported to you can verify that they
75	are arriving by doing (as root):
76
77	# tcpdump -v udp port 9996
78
79	In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway
80	router to all the PCs in the classroom. You can verify that these flows are
81	arriving by typing:
82
83	# tcpdump -v udp port 9009
84
85	For the exercises we'll assume you are on a PC where flows are only arriving
86	from the gateway router and we'll use the 9009 port.
87
88
89	Configure Your Collector
90	------------------------
91
92	1. Install NFdump
93	NFdump is the Netflow flow collector
94
95	We install several additional packages that we will need a bit
96	later:
97
98	Only install these if you did not already install mrtg and rrdtool:
99
100	# apt-get install rrdtool
101	# apt-get install librrds-perl
102	# apt-get install librrdp-perl
103	# apt-get install mrtg
104
105	If mrtg and rrdtool are already installed, then you just need these:
106
107	# apt-get install librrd-dev
108	# apt-get install nfdump
109
110	Or, on a single line:
111
112	# apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump
113
114	This will install, among other things, nfcapd, nfdump, nfreplay,
115	nfexpire, nftest, nfgen
116
117
118	2. Installing and Setting up NfSen (logged in as root)
119
120	# cd /usr/local/src
121	# wget http://noc.ws.nsrc.org/software/nfsen-1.3.5.tar.gz
122	# tar xvzf nfsen-1.3.5.tar.gz
123	# cd nfsen-1.3.5
124	# cd etc
125	# cp nfsen-dist.conf nfsen.conf
126	# joe nfsen.conf
127
128	Set the $BASEDIR variable
129
130	$BASEDIR="/var/nfsen";
131
132	Set the users appropriately so that Apache can access files:
133
134	$WWWUSER = 'www-data';
135	$WWWGROUP = 'www-data'
136
137	Adjust the tools path to where items actually reside:
138
139	# nfdump tools path
140	$PREFIX = '/usr/bin';
141
142	Set the buffer size to something small, so that we see data quickly
143
144	# Receive buffer size for nfcapd - see man page nfcapd(1)
145	$BUFFLEN = 2000;
146
147	Find the %sources definition, and change it to:
148
149	%sources=(
150	'rtrX'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'},
151	);
152
153	Now save and exit from the file.
154
155
156	3. Create the netflow user on the system
157
158	# useradd -d /var/netflow -G www-data -m -s /bin/false netflow
159
160
161	4. Initiate NfSen. Any time you make changes to nfsen.conf you will
162	have to do this step again.
163
164	Make sure we are in the right location:
165
166	# cd /usr/local/src/nfsen-1.3.5
167
168	Now, finally, we install:
169
170	# perl install.pl etc/nfsen.conf
171
172	Start NfSen
173
174	cd /var/nfsen/bin
175	./nfsen start
176
177
178	5. View flows via the web:
179
180	# apt-get install php5
181
182	You can find the nfsen output here:
183
184	http://pcN.ws.nsrc.org/nfsen/nfsen.php
185
186	(Below is only if there are problems)
187
188	Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
189	$HTMLDIR that you may need to configure. By default it is set like this:
190
191	$HTMLDIR="/var/www/nfsen/";
192
193	In some cases you may need to either move the nfsen directory in your web
194	structure, or update the $HTMLDIR variable for your installation.
195
196	If you move items, then do:
197
198	# /etc/init.d/apache2 restart
199
200
201	6. Verify that flows are arriving
202
203	Assuming that you are exporting flows from a router, or routers, to
204	your collector box on port 9009 you can check for arriving data using
205	tcpdump:
206
207	# tcpdump -v udp port 9009
208
209
210	7. Extend your Netflow configuration (Sample Only - We won't do this)
211
212	Go back to where you extracted your nfsen distribution.
213
214	# cd /usr/local/src/nfsen-1.3.5
215	# vi etc/nfsen.conf
216
217	Update your sources for new items that you migh have.
218	(Sample only!)
219
220	%sources = (
221	'rtr' => {'port' => '9000', 'col' => 'e4e4e4' },
222	'rtr2' => { 'port' => '9001', 'col' => '#0000ff' },
223	'rtr3' => { 'port' => '9002','col' => '#00cc00' },
224	'rtr4' => { 'port' => '9003','col' => '#000000' },
225	'rtr5' => { 'port' => '9004','col' => '#ff0000' },
226	'rtr6' => { 'port' => '9005','col' => '#ffff00' },
227	);
228
229	Save and exit from the nfsend.conf file.
230
231	Remember, you've updated nfsen.conf so you must re-run the install
232	script:
233
234	# perl install.pl etc/nfsen.conf
235
236	Now start and stop nfsen:
237
238	# /var/nfsen/bin/nfsen stop
239	# /var/nfsen/bin/nfsen start
240
241	You can add the nfsen startup script to /etc/init.d/rc.local
242	or somewhere similar to start it at bootup.)
243
244
245	8. Installing the PortTracker plugin (Optional or as reference)
246
247	- Go the PortTracker directory in the nfsen source distribution:
248
249	# cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
250
251	# joe do_compile
252
253	# path of nfdump sources
254	NFDUMP="/home/sysadmin/nfdump-1.6.2"
255
256	# path of rrd include file rrd.h
257	RRDINCLUDE=/usr/include
258
259	# path of rrd library
260	LIBRRD=/usr/lib
261
262
263	- Compile nftrack:
264
265	# ./do_compile
266
267	...
268
269	# cp nftrack /usr/local/bin/
270
271	- Make a directory for the nftrack data
272
273	# mkdir -p /var/log/netflow/porttracker
274
275	- Set the nftrack data directory in the PortTracker.pm module:
276
277	# joe PortTracker.pm
278
279	...
280
281	my $PORTSDBDIR = "/var/log/netflow/porttracker";
282
283	...
284
285	- Install the plugins into the NFSen distribution
286
287	# cp PortTracker.pm /var/nfsen/plugins/
288	# cp PortTracker.php /var/www/nfsen/plugins/
289
290	- Add the plugin definition to the nfsen.conf configuration
291
292	# cd ~/nfsen-1.3.5
293	# vi etc/nfsen.conf
294
295	...
296
297	@plugins = (
298	[ 'live', 'PortTracker'],
299	);
300
301	...
302
303	- Re-run the installation (answer questions)
304
305	# perl install.pl etc/nfsen.conf
306
307	- Initialize portracker database files
308
309	# sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
310
311	(This can take a LONG time! - 8 GB worth of files will be created)
312
313	- Set the permissions so the netflow user running nfsen, and the www-data
314	user running the Web interface, can access the porttracker data:
315
316	# chown -R netflow:www-data /var/log/netflow/porttracker
317	# chmod -R 775 /var/log/netflow/porttracker
318
319	- Reload:
320
321	# /var/nfsen/bin/nfsen reload
322
323	- Check for success:
324
325	# grep -i 'porttracker.*success' /var/log/syslog
326	Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
327	Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
328
329	- Wait some minutes, and go the the nfsen GUI
330
331	http://pcN.ws.nsrc.org/nfsen/nfsen.php
332
333	... and select the Plugins tab.
334
335