| 1 | Network Monitoring and Management |
|---|
| 2 | |
|---|
| 3 | Configure Your Router to Export Flows |
|---|
| 4 | ------------------------------------- |
|---|
| 5 | |
|---|
| 6 | 1. Export flows from a router |
|---|
| 7 | |
|---|
| 8 | This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to |
|---|
| 9 | the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups for router 1 |
|---|
| 10 | through router 6 you should choose one person to type in the commands to set up |
|---|
| 11 | router for Netflow and one PC where the Netflow exports will go. |
|---|
| 12 | |
|---|
| 13 | Our router is rtr1, or 10.10.1.254 (Group 1 gateway) |
|---|
| 14 | |
|---|
| 15 | Log in on the router: |
|---|
| 16 | |
|---|
| 17 | # telnet 10.10.1.254 |
|---|
| 18 | rtr1.ws.nsrc.org> enable |
|---|
| 19 | |
|---|
| 20 | Enter the enable password |
|---|
| 21 | |
|---|
| 22 | rtr1.ws.nsrc.org# configure terminal |
|---|
| 23 | rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0 |
|---|
| 24 | rtr1.ws.nsrc.org(config)# ip route-cache flow |
|---|
| 25 | rtr1.ws.nsrc.org(config)# exit |
|---|
| 26 | |
|---|
| 27 | Repeat for FastExthernet 0/1 (and all interfaces you may have that |
|---|
| 28 | are configured) |
|---|
| 29 | |
|---|
| 30 | rtr1.ws.nsrc.org# configure terminal |
|---|
| 31 | rtr1.ws.nsrc.org(config)# interface FastEthernet 0/1 |
|---|
| 32 | rtr1.ws.nsrc.org(config)# ip route-cache flow |
|---|
| 33 | rtr1.ws.nsrc.org(config)# exit |
|---|
| 34 | |
|---|
| 35 | rtr1.ws.nsrc.org#conf t |
|---|
| 36 | rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996 |
|---|
| 37 | rtr1.ws.nsrc.org(config)# ip flow-export version 5 |
|---|
| 38 | rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5 |
|---|
| 39 | |
|---|
| 40 | This breaks up long-lived flows into 5-minute fragments. You can |
|---|
| 41 | choose any number of minutes between 1 and 60. If you leave it at |
|---|
| 42 | the default of 30 minutes your traffic reports will have spikes. |
|---|
| 43 | |
|---|
| 44 | rtr1.ws.nsrc.org(config)# snmp-server ifindex persist |
|---|
| 45 | |
|---|
| 46 | This enables ifIndex persistence globally. This ensures that the |
|---|
| 47 | ifIndex values are persisted during router reboots. |
|---|
| 48 | |
|---|
| 49 | Now configure how you want the ip flow top-talkers to work: |
|---|
| 50 | |
|---|
| 51 | rtr1.ws.nsrc.org(config)#ip flow-top-talkers |
|---|
| 52 | rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20 |
|---|
| 53 | rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes |
|---|
| 54 | rtr1.ws.nsrc.org(config-flow-top-talkers)#end |
|---|
| 55 | |
|---|
| 56 | Now we'll verify what we've done. |
|---|
| 57 | |
|---|
| 58 | rtr1.ws.nsrc.org# show ip flow export |
|---|
| 59 | rtr1.ws.nsrc.org# show ip cache flow |
|---|
| 60 | |
|---|
| 61 | See your "top talkers" across your router interfaces |
|---|
| 62 | |
|---|
| 63 | rtr1.ws.nsrc.org# show ip flow top-talkers |
|---|
| 64 | |
|---|
| 65 | If it all looks good then write your running-config to non-volatile |
|---|
| 66 | RAM (i.e. the startup-config): |
|---|
| 67 | |
|---|
| 68 | rtr1.ws.nsrc.org#wr mem |
|---|
| 69 | |
|---|
| 70 | You can exit from the router now: |
|---|
| 71 | |
|---|
| 72 | rtr1.ws.nsrc.org#exit |
|---|
| 73 | |
|---|
| 74 | and on the machine where flows are being exported to you can verify that they |
|---|
| 75 | are arriving by doing (as root): |
|---|
| 76 | |
|---|
| 77 | # tcpdump -v udp port 9996 |
|---|
| 78 | |
|---|
| 79 | In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway |
|---|
| 80 | router to all the PCs in the classroom. You can verify that these flows are |
|---|
| 81 | arriving by typing: |
|---|
| 82 | |
|---|
| 83 | # tcpdump -v udp port 9009 |
|---|
| 84 | |
|---|
| 85 | For the exercises we'll assume you are on a PC where flows are only arriving |
|---|
| 86 | from the gateway router and we'll use the 9009 port. |
|---|
| 87 | |
|---|
| 88 | |
|---|
| 89 | Configure Your Collector |
|---|
| 90 | ------------------------ |
|---|
| 91 | |
|---|
| 92 | 1. Install NFdump |
|---|
| 93 | NFdump is the Netflow flow collector |
|---|
| 94 | |
|---|
| 95 | We install several additional packages that we will need a bit |
|---|
| 96 | later: |
|---|
| 97 | |
|---|
| 98 | Only install these if you did not already install mrtg and rrdtool: |
|---|
| 99 | |
|---|
| 100 | # apt-get install rrdtool |
|---|
| 101 | # apt-get install librrds-perl |
|---|
| 102 | # apt-get install librrdp-perl |
|---|
| 103 | # apt-get install mrtg |
|---|
| 104 | |
|---|
| 105 | If mrtg and rrdtool are already installed, then you just need these: |
|---|
| 106 | |
|---|
| 107 | # apt-get install librrd-dev |
|---|
| 108 | # apt-get install nfdump |
|---|
| 109 | |
|---|
| 110 | Or, on a single line: |
|---|
| 111 | |
|---|
| 112 | # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump |
|---|
| 113 | |
|---|
| 114 | This will install, among other things, nfcapd, nfdump, nfreplay, |
|---|
| 115 | nfexpire, nftest, nfgen |
|---|
| 116 | |
|---|
| 117 | |
|---|
| 118 | 2. Installing and Setting up NfSen (logged in as root) |
|---|
| 119 | |
|---|
| 120 | # cd /usr/local/src |
|---|
| 121 | # wget http://noc.ws.nsrc.org/software/nfsen-1.3.5.tar.gz |
|---|
| 122 | # tar xvzf nfsen-1.3.5.tar.gz |
|---|
| 123 | # cd nfsen-1.3.5 |
|---|
| 124 | # cd etc |
|---|
| 125 | # cp nfsen-dist.conf nfsen.conf |
|---|
| 126 | # joe nfsen.conf |
|---|
| 127 | |
|---|
| 128 | Set the $BASEDIR variable |
|---|
| 129 | |
|---|
| 130 | $BASEDIR="/var/nfsen"; |
|---|
| 131 | |
|---|
| 132 | Set the users appropriately so that Apache can access files: |
|---|
| 133 | |
|---|
| 134 | $WWWUSER = 'www-data'; |
|---|
| 135 | $WWWGROUP = 'www-data' |
|---|
| 136 | |
|---|
| 137 | Adjust the tools path to where items actually reside: |
|---|
| 138 | |
|---|
| 139 | # nfdump tools path |
|---|
| 140 | $PREFIX = '/usr/bin'; |
|---|
| 141 | |
|---|
| 142 | Set the buffer size to something small, so that we see data quickly |
|---|
| 143 | |
|---|
| 144 | # Receive buffer size for nfcapd - see man page nfcapd(1) |
|---|
| 145 | $BUFFLEN = 2000; |
|---|
| 146 | |
|---|
| 147 | Find the %sources definition, and change it to: |
|---|
| 148 | |
|---|
| 149 | %sources=( |
|---|
| 150 | 'rtrX'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'}, |
|---|
| 151 | ); |
|---|
| 152 | |
|---|
| 153 | Now save and exit from the file. |
|---|
| 154 | |
|---|
| 155 | |
|---|
| 156 | 3. Create the netflow user on the system |
|---|
| 157 | |
|---|
| 158 | # useradd -d /var/netflow -G www-data -m -s /bin/false netflow |
|---|
| 159 | |
|---|
| 160 | |
|---|
| 161 | 4. Initiate NfSen. Any time you make changes to nfsen.conf you will |
|---|
| 162 | have to do this step again. |
|---|
| 163 | |
|---|
| 164 | Make sure we are in the right location: |
|---|
| 165 | |
|---|
| 166 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 167 | |
|---|
| 168 | Now, finally, we install: |
|---|
| 169 | |
|---|
| 170 | # perl install.pl etc/nfsen.conf |
|---|
| 171 | |
|---|
| 172 | Start NfSen |
|---|
| 173 | |
|---|
| 174 | cd /var/nfsen/bin |
|---|
| 175 | ./nfsen start |
|---|
| 176 | |
|---|
| 177 | |
|---|
| 178 | 5. View flows via the web: |
|---|
| 179 | |
|---|
| 180 | # apt-get install php5 |
|---|
| 181 | |
|---|
| 182 | You can find the nfsen output here: |
|---|
| 183 | |
|---|
| 184 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 185 | |
|---|
| 186 | (Below is only if there are problems) |
|---|
| 187 | |
|---|
| 188 | Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable |
|---|
| 189 | $HTMLDIR that you may need to configure. By default it is set like this: |
|---|
| 190 | |
|---|
| 191 | $HTMLDIR="/var/www/nfsen/"; |
|---|
| 192 | |
|---|
| 193 | In some cases you may need to either move the nfsen directory in your web |
|---|
| 194 | structure, or update the $HTMLDIR variable for your installation. |
|---|
| 195 | |
|---|
| 196 | If you move items, then do: |
|---|
| 197 | |
|---|
| 198 | # /etc/init.d/apache2 restart |
|---|
| 199 | |
|---|
| 200 | |
|---|
| 201 | 6. Verify that flows are arriving |
|---|
| 202 | |
|---|
| 203 | Assuming that you are exporting flows from a router, or routers, to |
|---|
| 204 | your collector box on port 9009 you can check for arriving data using |
|---|
| 205 | tcpdump: |
|---|
| 206 | |
|---|
| 207 | # tcpdump -v udp port 9009 |
|---|
| 208 | |
|---|
| 209 | |
|---|
| 210 | 7. Extend your Netflow configuration (Sample Only - We won't do this) |
|---|
| 211 | |
|---|
| 212 | Go back to where you extracted your nfsen distribution. |
|---|
| 213 | |
|---|
| 214 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 215 | # vi etc/nfsen.conf |
|---|
| 216 | |
|---|
| 217 | Update your sources for new items that you migh have. |
|---|
| 218 | (Sample only!) |
|---|
| 219 | |
|---|
| 220 | %sources = ( |
|---|
| 221 | 'rtr' => {'port' => '9000', 'col' => 'e4e4e4' }, |
|---|
| 222 | 'rtr2' => { 'port' => '9001', 'col' => '#0000ff' }, |
|---|
| 223 | 'rtr3' => { 'port' => '9002','col' => '#00cc00' }, |
|---|
| 224 | 'rtr4' => { 'port' => '9003','col' => '#000000' }, |
|---|
| 225 | 'rtr5' => { 'port' => '9004','col' => '#ff0000' }, |
|---|
| 226 | 'rtr6' => { 'port' => '9005','col' => '#ffff00' }, |
|---|
| 227 | ); |
|---|
| 228 | |
|---|
| 229 | Save and exit from the nfsend.conf file. |
|---|
| 230 | |
|---|
| 231 | Remember, you've updated nfsen.conf so you must re-run the install |
|---|
| 232 | script: |
|---|
| 233 | |
|---|
| 234 | # perl install.pl etc/nfsen.conf |
|---|
| 235 | |
|---|
| 236 | Now start and stop nfsen: |
|---|
| 237 | |
|---|
| 238 | # /var/nfsen/bin/nfsen stop |
|---|
| 239 | # /var/nfsen/bin/nfsen start |
|---|
| 240 | |
|---|
| 241 | You can add the nfsen startup script to /etc/init.d/rc.local |
|---|
| 242 | or somewhere similar to start it at bootup.) |
|---|
| 243 | |
|---|
| 244 | |
|---|
| 245 | 8. Installing the PortTracker plugin (Optional or as reference) |
|---|
| 246 | |
|---|
| 247 | - Go the PortTracker directory in the nfsen source distribution: |
|---|
| 248 | |
|---|
| 249 | # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker |
|---|
| 250 | |
|---|
| 251 | # joe do_compile |
|---|
| 252 | |
|---|
| 253 | # path of nfdump sources |
|---|
| 254 | NFDUMP="/home/sysadmin/nfdump-1.6.2" |
|---|
| 255 | |
|---|
| 256 | # path of rrd include file rrd.h |
|---|
| 257 | RRDINCLUDE=/usr/include |
|---|
| 258 | |
|---|
| 259 | # path of rrd library |
|---|
| 260 | LIBRRD=/usr/lib |
|---|
| 261 | |
|---|
| 262 | |
|---|
| 263 | - Compile nftrack: |
|---|
| 264 | |
|---|
| 265 | # ./do_compile |
|---|
| 266 | |
|---|
| 267 | ... |
|---|
| 268 | |
|---|
| 269 | # cp nftrack /usr/local/bin/ |
|---|
| 270 | |
|---|
| 271 | - Make a directory for the nftrack data |
|---|
| 272 | |
|---|
| 273 | # mkdir -p /var/log/netflow/porttracker |
|---|
| 274 | |
|---|
| 275 | - Set the nftrack data directory in the PortTracker.pm module: |
|---|
| 276 | |
|---|
| 277 | # joe PortTracker.pm |
|---|
| 278 | |
|---|
| 279 | ... |
|---|
| 280 | |
|---|
| 281 | my $PORTSDBDIR = "/var/log/netflow/porttracker"; |
|---|
| 282 | |
|---|
| 283 | ... |
|---|
| 284 | |
|---|
| 285 | - Install the plugins into the NFSen distribution |
|---|
| 286 | |
|---|
| 287 | # cp PortTracker.pm /var/nfsen/plugins/ |
|---|
| 288 | # cp PortTracker.php /var/www/nfsen/plugins/ |
|---|
| 289 | |
|---|
| 290 | - Add the plugin definition to the nfsen.conf configuration |
|---|
| 291 | |
|---|
| 292 | # cd ~/nfsen-1.3.5 |
|---|
| 293 | # vi etc/nfsen.conf |
|---|
| 294 | |
|---|
| 295 | ... |
|---|
| 296 | |
|---|
| 297 | @plugins = ( |
|---|
| 298 | [ 'live', 'PortTracker'], |
|---|
| 299 | ); |
|---|
| 300 | |
|---|
| 301 | ... |
|---|
| 302 | |
|---|
| 303 | - Re-run the installation (answer questions) |
|---|
| 304 | |
|---|
| 305 | # perl install.pl etc/nfsen.conf |
|---|
| 306 | |
|---|
| 307 | - Initialize portracker database files |
|---|
| 308 | |
|---|
| 309 | # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker |
|---|
| 310 | |
|---|
| 311 | (This can take a LONG time! - 8 GB worth of files will be created) |
|---|
| 312 | |
|---|
| 313 | - Set the permissions so the netflow user running nfsen, and the www-data |
|---|
| 314 | user running the Web interface, can access the porttracker data: |
|---|
| 315 | |
|---|
| 316 | # chown -R netflow:www-data /var/log/netflow/porttracker |
|---|
| 317 | # chmod -R 775 /var/log/netflow/porttracker |
|---|
| 318 | |
|---|
| 319 | - Reload: |
|---|
| 320 | |
|---|
| 321 | # /var/nfsen/bin/nfsen reload |
|---|
| 322 | |
|---|
| 323 | - Check for success: |
|---|
| 324 | |
|---|
| 325 | # grep -i 'porttracker.*success' /var/log/syslog |
|---|
| 326 | Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success |
|---|
| 327 | Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success |
|---|
| 328 | |
|---|
| 329 | - Wait some minutes, and go the the nfsen GUI |
|---|
| 330 | |
|---|
| 331 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 332 | |
|---|
| 333 | ... and select the Plugins tab. |
|---|
| 334 | |
|---|
| 335 | |
|---|