Agenda: exercises-netflow.txt

File exercises-netflow.txt, 8.3 KB (added by admin, 8 years ago)
Line 
1Network Monitoring and Management
2
3Configure Your Router to Export Flows
4-------------------------------------
5
61. Export flows from a router
7
8This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to
9the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups for router 1
10through router 6 you should choose one person to type in the commands to set up
11router for Netflow and one PC where the Netflow exports will go.
12
13Our router is rtr1, or 10.10.1.254 (Group 1 gateway)
14
15Log in on the router:
16
17   # telnet 10.10.1.254
18   rtr1.ws.nsrc.org> enable
19
20Enter the enable password
21
22   rtr1.ws.nsrc.org# configure terminal
23   rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
24   rtr1.ws.nsrc.org(config)# ip route-cache flow
25   rtr1.ws.nsrc.org(config)# exit
26
27Repeat for FastExthernet 0/1 (and all interfaces you may have that
28are configured)
29
30   rtr1.ws.nsrc.org# configure terminal
31   rtr1.ws.nsrc.org(config)# interface FastEthernet 0/1
32   rtr1.ws.nsrc.org(config)# ip route-cache flow
33   rtr1.ws.nsrc.org(config)# exit   
34
35   rtr1.ws.nsrc.org#conf t
36   rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996
37   rtr1.ws.nsrc.org(config)# ip flow-export version 5
38   rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
39
40This breaks up long-lived flows into 5-minute fragments. You can
41choose any number of minutes between 1 and 60. If you leave it at
42the default of 30 minutes your traffic reports will have spikes.
43
44   rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
45
46This enables ifIndex persistence globally. This ensures that the
47ifIndex values are persisted during router reboots.
48
49Now configure how you want the ip flow top-talkers to work:
50
51   rtr1.ws.nsrc.org(config)#ip flow-top-talkers
52   rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
53   rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
54   rtr1.ws.nsrc.org(config-flow-top-talkers)#end
55 
56Now we'll verify what we've done.
57
58   rtr1.ws.nsrc.org# show ip flow export
59   rtr1.ws.nsrc.org# show ip cache flow
60
61See your "top talkers" across your router interfaces
62
63   rtr1.ws.nsrc.org# show ip flow top-talkers
64
65If it all looks good then write your running-config to non-volatile
66RAM (i.e. the startup-config):
67
68   rtr1.ws.nsrc.org#wr mem
69   
70You can exit from the router now:
71
72   rtr1.ws.nsrc.org#exit
73   
74and on the machine where flows are being exported to you can verify that they
75are arriving by doing (as root):
76
77        # tcpdump -v udp port 9996
78
79In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway
80router to all the PCs in the classroom. You can verify that these flows are
81arriving by typing:
82
83        # tcpdump -v udp port 9009
84       
85For the exercises we'll assume you are on a PC where flows are only arriving
86from the gateway router and we'll use the 9009 port.
87
88
89Configure Your Collector
90------------------------
91
921. Install NFdump
93   NFdump is the Netflow flow collector
94
95   We install several additional packages that we will need a bit
96   later:
97
98Only install these if you did not already install mrtg and rrdtool:
99
100   # apt-get install rrdtool
101   # apt-get install librrds-perl
102   # apt-get install librrdp-perl
103   # apt-get install mrtg
104
105If mrtg and rrdtool are already installed, then you just need these:
106 
107   # apt-get install librrd-dev
108   # apt-get install nfdump
109
110Or, on a single line:
111
112   # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump
113
114   This will install, among other things, nfcapd, nfdump, nfreplay,
115   nfexpire, nftest, nfgen
116
117
1182. Installing and Setting up NfSen (logged in as root)
119
120   # cd /usr/local/src
121   # wget http://noc.ws.nsrc.org/software/nfsen-1.3.5.tar.gz
122   # tar xvzf nfsen-1.3.5.tar.gz
123   # cd nfsen-1.3.5
124   # cd etc
125   # cp nfsen-dist.conf nfsen.conf
126   # joe nfsen.conf
127
128Set the $BASEDIR variable
129
130   $BASEDIR="/var/nfsen";
131
132Set the users appropriately so that Apache can access files:
133
134   $WWWUSER = 'www-data';
135   $WWWGROUP = 'www-data'   
136
137Adjust the tools path to where items actually reside:
138
139# nfdump tools path
140$PREFIX = '/usr/bin';
141
142Set the buffer size to something small, so that we see data quickly
143
144# Receive buffer size for nfcapd - see man page nfcapd(1)
145$BUFFLEN = 2000;
146
147Find the %sources definition, and change it to:
148
149   %sources=(
150   'rtrX'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'},
151   );                             
152
153Now save and exit from the file.
154
155
1563. Create the netflow user on the system
157
158   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow
159
160
1614. Initiate NfSen. Any time you make changes to nfsen.conf you will
162   have to do this step again.
163
164Make sure we are in the right location:
165
166   # cd /usr/local/src/nfsen-1.3.5
167
168Now, finally, we install:
169
170   # perl install.pl etc/nfsen.conf
171
172Start NfSen
173
174cd /var/nfsen/bin
175./nfsen start
176
177
1785. View flows via the web:
179
180   # apt-get install php5
181   
182You can find the nfsen output here:
183
184   http://pcN.ws.nsrc.org/nfsen/nfsen.php
185
186(Below is only if there are problems)
187
188Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
189$HTMLDIR that you may need to configure. By default it is set like this:
190
191   $HTMLDIR="/var/www/nfsen/";
192
193In some cases you may need to either move the nfsen directory in your web
194structure, or update the $HTMLDIR variable for your installation.
195
196If you move items, then do:
197
198   # /etc/init.d/apache2 restart
199
200
2016. Verify that flows are arriving
202
203Assuming that you are exporting flows from a router, or routers, to
204your collector box on port 9009 you can check for arriving data using
205tcpdump:
206
207   # tcpdump -v udp port 9009
208
209
2107. Extend your Netflow configuration (Sample Only - We won't do this)
211
212Go back to where you extracted your nfsen distribution.
213
214   # cd /usr/local/src/nfsen-1.3.5
215   # vi etc/nfsen.conf
216
217Update your sources for new items that you migh have.
218(Sample only!)
219
220        %sources = (
221        'rtr' => {'port' => '9000', 'col' => 'e4e4e4' },
222        'rtr2' => { 'port' => '9001', 'col' => '#0000ff' },
223        'rtr3' => { 'port' => '9002','col' => '#00cc00' },
224        'rtr4' => { 'port' => '9003','col' => '#000000' },
225        'rtr5' => { 'port' => '9004','col' => '#ff0000' },
226        'rtr6' => { 'port' => '9005','col' => '#ffff00' },
227        );
228
229Save and exit from the nfsend.conf file.
230
231Remember, you've updated nfsen.conf so you must re-run the install
232script:
233
234   # perl install.pl etc/nfsen.conf
235
236Now start and stop nfsen:
237
238   # /var/nfsen/bin/nfsen stop
239   # /var/nfsen/bin/nfsen start
240
241You can add the nfsen startup script to /etc/init.d/rc.local
242or somewhere similar to start it at bootup.)
243
244
2458. Installing the PortTracker plugin (Optional or as reference)
246
247- Go the PortTracker directory in the nfsen source distribution:
248
249   # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
250
251   # joe do_compile
252
253      # path of nfdump sources
254      NFDUMP="/home/sysadmin/nfdump-1.6.2"
255
256      # path of rrd include file rrd.h
257      RRDINCLUDE=/usr/include
258
259      # path of rrd library
260      LIBRRD=/usr/lib
261
262
263- Compile nftrack:
264
265   # ./do_compile
266
267...
268
269   # cp nftrack /usr/local/bin/
270
271- Make a directory for the nftrack data
272
273   # mkdir -p /var/log/netflow/porttracker
274
275- Set the nftrack data directory in the PortTracker.pm module:
276
277   # joe PortTracker.pm
278
279    ...
280
281       my $PORTSDBDIR = "/var/log/netflow/porttracker";
282
283    ...
284
285- Install the plugins into the NFSen distribution
286
287   # cp PortTracker.pm /var/nfsen/plugins/
288   # cp PortTracker.php /var/www/nfsen/plugins/
289
290- Add the plugin definition to the nfsen.conf configuration
291
292   # cd ~/nfsen-1.3.5
293   # vi etc/nfsen.conf
294
295    ...
296
297       @plugins = (
298           [ 'live',   'PortTracker'],
299       );
300
301    ...
302
303- Re-run the installation (answer questions)
304
305   # perl install.pl etc/nfsen.conf
306
307- Initialize portracker database files
308
309   # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
310
311    (This can take a LONG time! - 8 GB worth of files will be created)
312
313- Set the permissions so the netflow user running nfsen, and the www-data
314  user running the Web interface, can access the porttracker data:
315
316   # chown -R netflow:www-data /var/log/netflow/porttracker
317   # chmod -R 775 /var/log/netflow/porttracker
318
319- Reload:
320
321   # /var/nfsen/bin/nfsen reload
322
323- Check for success:
324
325   # grep -i 'porttracker.*success' /var/log/syslog
326Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
327Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
328
329- Wait some minutes, and go the the nfsen GUI
330
331    http://pcN.ws.nsrc.org/nfsen/nfsen.php
332
333... and select the Plugins tab.
334
335