Agenda: exercises-netflow-nfsen.txt

File exercises-netflow-nfsen.txt, 9.2 KB (added by admin, 7 years ago)
Line 
1Network Monitoring and Management
2
3Configure Your Router to Export Flows
4-------------------------------------
5
61. Export flows from a router
7
8This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to
9the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups 1 through 9
10you must choose one person to type in the commands to set up router for Netflow
11and one PC where the Netflow exports will go.  IOS can unfortunately not send
12Netflow messages to more than 1 or 2 devices, so we will use only 1 now.
13
14For example, if our router is rtr1, or 10.10.1.254 (Group 1 gateway):
15
16Log in on the router:
17
18   # ssh cisco@10.10.1.254
19   rtr1.ws.nsrc.org> enable
20
21Enter the enable password...
22
23Configure FastExthernet 0/0 to generate netflow:
24
25   rtr1.ws.nsrc.org# configure terminal
26   rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
27   rtr1.ws.nsrc.org(config-if)# ip flow ingress
28   rtr1.ws.nsrc.org(config-if)# ip flow egress
29   rtr1.ws.nsrc.org(config-if)# exit
30   rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996
31   rtr1.ws.nsrc.org(config)# ip flow-export version 5
32   rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
33
34This breaks up long-lived flows into 5-minute fragments. You can
35choose any number of minutes between 1 and 60. If you leave it at
36the default of 30 minutes your traffic reports will have spikes.
37
38   rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
39
40This enables ifIndex persistence globally. This ensures that the
41ifIndex values are persisted during router reboots.
42
43Now configure how you want the ip flow top-talkers to work:
44
45   rtr1.ws.nsrc.org(config)#ip flow-top-talkers
46   rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
47   rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
48   rtr1.ws.nsrc.org(config-flow-top-talkers)#end
49 
50Now we'll verify what we've done.
51
52   rtr1.ws.nsrc.org# show ip flow export
53   rtr1.ws.nsrc.org# show ip cache flow
54
55See your "top talkers" across your router interfaces
56
57   rtr1.ws.nsrc.org# show ip flow top-talkers
58
59If it all looks good then write your running-config to non-volatile
60RAM (i.e. the startup-config):
61
62   rtr1.ws.nsrc.org#wr mem
63   
64You can exit from the router now:
65
66   rtr1.ws.nsrc.org#exit
67   
68and on the machine where flows are being exported to you can verify that they
69are arriving by doing (as root):
70
71        # tcpdump -v udp port 9996
72
73In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway
74router to all the PCs in the classroom. You can verify that these flows are
75arriving by typing:
76
77        # tcpdump -v udp port 9009
78       
79For the exercises we'll assume you are on a PC where flows are only arriving
80from the gateway router and we'll use the 9009 port.
81
82
83Configure Your Collector
84------------------------
85
861. Install NFdump
87   NFdump is the Netflow flow collector
88
89   We install several additional packages that we will need a bit
90   later:
91
92Only install these if you did not already install mrtg and rrdtool:
93
94   # apt-get install rrdtool
95   # apt-get install librrds-perl
96   # apt-get install librrdp-perl
97   # apt-get install mrtg
98   # apt-get install libmailtools-perl
99
100If mrtg and rrdtool are already installed, then you just need these:
101 
102   # apt-get install librrd-dev
103   # apt-get install nfdump
104   # apt-get install libmailtools-perl
105
106Or, on a single line:
107
108   # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump \
109                libmailtools-perl
110
111   This will install, among other things, nfcapd, nfdump, nfreplay,
112   nfexpire, nftest, nfgen
113
114
1152. Installing and Setting up NfSen (logged in as root)
116
117   # cd /usr/local/src
118   # wget http://noc.ws.nsrc.org/downloads/nfsen-1.3.5.tar.gz
119   # tar xvzf nfsen-1.3.5.tar.gz
120   # cd nfsen-1.3.5
121   # cd etc
122   # cp nfsen-dist.conf nfsen.conf
123   # editor nfsen.conf
124
125Set the $BASEDIR variable
126
127   $BASEDIR="/var/nfsen";
128
129Set the users appropriately so that Apache can access files:
130
131   $WWWUSER = 'www-data';
132   $WWWGROUP = 'www-data'   
133
134Adjust the tools path to where items actually reside:
135
136        # nfdump tools path
137        $PREFIX = '/usr/bin';
138
139Set the buffer size to something small, so that we see data quickly
140
141        # Receive buffer size for nfcapd - see man page nfcapd(1)
142        $BUFFLEN = 2000;
143
144Find the %sources definition, and change it to:
145
146   %sources=(
147   'rtrX'=>{'port'=>'9996','col'=>'#ff0000','type'=>'netflow'},
148     'gw'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'},
149   );                             
150
151Now save and exit from the file.
152
153
1543. Create the netflow user on the system
155
156   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow
157
158
1594. Initiate NfSen. Any time you make changes to nfsen.conf you will
160   have to do this step again.
161
162Make sure we are in the right location:
163
164   # cd /usr/local/src/nfsen-1.3.5
165
166Now, finally, we install:
167
168   # perl install.pl etc/nfsen.conf
169
170Start NfSen
171
172cd /var/nfsen/bin
173./nfsen start
174
175
1765. View flows via the web:
177
178   This should not be necessary, but just in case:
179
180   # apt-get install php5
181   
182You can find the nfsen output here:
183
184   http://pcN.ws.nsrc.org/nfsen/nfsen.php
185
186(Below is only if there are problems)
187
188Note that in /usr/local/src/nfsen-1.3.5/etc/nfsen.conf there is a variable
189$HTMLDIR that you may need to configure. By default it is set like this:
190
191   $HTMLDIR="/var/www/nfsen/";
192
193In some cases you may need to either move the nfsen directory in your web
194structure, or update the $HTMLDIR variable for your installation.
195
196If you move items, then do:
197
198   # /etc/init.d/apache2 restart
199
200
2016. Verify that flows are arriving
202
203Assuming that you are exporting flows from a router, or routers, to
204your collector box on port 9009 you can check for arriving data using
205tcpdump:
206
207   # tcpdump -v udp port 9009
208   # tcpdump -v udp port 9996
209
210OPTIONAL
211
212
2137. Installing the PortTracker plugin (Optional or as reference)
214
215# apt-get install bison flex
216# cd /usr/local/src
217# wget http://noc.ws.nsrc.org/downloads/nfdump-1.6.3p1.tar.gz
218# tar xvzf nfdump-1.6.3p1.tar.gz
219# cd nfdump-1.6.3p1
220# ./configure
221# make
222
223
224
225- Go the PortTracker directory in the nfsen source distribution:
226
227   # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
228
229   # editor do_compile
230
231      # path of nfdump sources
232      NFDUMP="/usr/local/src/nfdump-1.6.3p1"
233
234      # path of rrd include file rrd.h
235      RRDINCLUDE=/usr/include
236
237      # path of rrd library
238      LIBRRD=/usr/lib
239
240- Compile nftrack:
241
242   # ./do_compile
243
244...
245
246   # cp nftrack /usr/bin/
247
248- Make a directory for the nftrack data
249
250   # mkdir -p /var/log/netflow/porttracker
251   # chown www-data /var/log/netflow/porttracker
252
253- Set the nftrack data directory in the PortTracker.pm module:
254
255   # editor PortTracker.pm
256
257    Find the line:
258
259                my $PORTSDBDIR = "/data/ports-db";
260
261        and change it to:
262
263        my $PORTSDBDIR = "/var/log/netflow/porttracker";
264
265    ...
266
267- Install the plugins into the NFSen distribution
268
269   # cp PortTracker.pm /var/nfsen/plugins/
270   # cp PortTracker.php /var/www/nfsen/plugins/
271
272- Add the plugin definition to the nfsen.conf configuration
273
274   # cd /usr/local/src/nfsen-1.3.5
275   # editor etc/nfsen.conf
276
277    Find the plugins section and make it look like this:
278
279       @plugins = (
280           [ 'live',   'PortTracker'],
281       );
282
283    ...
284
285- Re-run the installation (answer questions)
286
287   # perl install.pl etc/nfsen.conf
288
289- Initialize portracker database files
290
291   # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
292
293    (This can take a LONG time! - 8 GB worth of files will be created)
294
295- Set the permissions so the netflow user running nfsen, and the www-data
296  user running the Web interface, can access the porttracker data:
297
298   # chown -R netflow:www-data /var/log/netflow/porttracker
299   # chmod -R 775 /var/log/netflow/porttracker
300
301- Reload:
302
303   # /var/nfsen/bin/nfsen reload
304
305- Check for success:
306
307   # grep -i 'porttracker.*success' /var/log/syslog
308Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
309Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
310
311- Wait some minutes, and go the the nfsen GUI
312
313    http://pcN.ws.nsrc.org/nfsen/nfsen.php
314
315... and select the Plugins tab.
316
317If you get an error "Cannot Read Stats file", check the /var/log/netflow/porttracker directory for 2 additional files: portstat24.txt and portstat.txt like this:
318
319        # ls -l /var/log/netflow/porttracker/portstat*
320        -rw-r--r-- 1 netflow www-data     677 2011-11-17 14:30 /var/log/netflow/porttracker/portstat24.txt
321        -rwxrwxr-x 1 netflow www-data     638 2011-11-17 14:30 /var/log/netflow/porttracker/portstat.txt
322
323
324
3258. If you wanted to add more sources...
326
327Go back to where you extracted your nfsen distribution.
328
329   # cd /usr/local/src/nfsen-1.3.5
330   # editor etc/nfsen.conf
331
332Update your sources for new items that you might have.
333(Sample only!)
334
335        %sources = (
336        'rtr' => {'port' => '9000', 'col' => 'e4e4e4' },
337        'rtr2' => { 'port' => '9001', 'col' => '#0000ff' },
338        'rtr3' => { 'port' => '9002','col' => '#00cc00' },
339        'rtr4' => { 'port' => '9003','col' => '#000000' },
340        'rtr5' => { 'port' => '9004','col' => '#ff0000' },
341        'rtr6' => { 'port' => '9005','col' => '#ffff00' },
342        );
343
344Save and exit from the nfsend.conf file.
345
346Remember, you've updated nfsen.conf so you must re-run the install
347script:
348
349   # perl install.pl etc/nfsen.conf
350
351Now start and stop nfsen:
352
353   # /var/nfsen/bin/nfsen stop
354   # /var/nfsen/bin/nfsen start
355
356You can add the nfsen startup script to /etc/init.d/rc.local
357or somewhere similar to start it at bootup.)
358
359