| 1 | Network Monitoring and Management |
|---|
| 2 | |
|---|
| 3 | Configure Your Router to Export Flows |
|---|
| 4 | ------------------------------------- |
|---|
| 5 | |
|---|
| 6 | 1. Export flows from a router |
|---|
| 7 | |
|---|
| 8 | This is a sample only. |
|---|
| 9 | |
|---|
| 10 | Our router is w, or 10.10.0.254 (classroom gateway) |
|---|
| 11 | |
|---|
| 12 | Log in on the router: |
|---|
| 13 | |
|---|
| 14 | # ssh USERNAME@10.10.0.254 |
|---|
| 15 | gw>enable |
|---|
| 16 | |
|---|
| 17 | Enter the enable password |
|---|
| 18 | |
|---|
| 19 | nm-gw# configure terminal |
|---|
| 20 | nm-gw(config)# interface FastEthernet 0/0 |
|---|
| 21 | nm-gw(config)# ip route-cache flow |
|---|
| 22 | nm-gw(config)# exit |
|---|
| 23 | |
|---|
| 24 | Repeat for FastExthernet 0/1 (and all interfaces you may have that |
|---|
| 25 | are configured) |
|---|
| 26 | |
|---|
| 27 | nm-gw# configure terminal |
|---|
| 28 | nm-gw(config)# interface FastEthernet 0/1 |
|---|
| 29 | nm-gw(config)# ip route-cache flow |
|---|
| 30 | nm-gw(config)# exit |
|---|
| 31 | |
|---|
| 32 | nm-gw# ip flow-export destination 10.10.0.250 9996 |
|---|
| 33 | nm-gw# ip flow-export version 5 |
|---|
| 34 | nm-gw# ip flow-cache timeout active 5 |
|---|
| 35 | |
|---|
| 36 | This breaks up long-lived flows into 5-minute fragments. You can |
|---|
| 37 | choose any number of minutes between 1 and 60. If you leave it at |
|---|
| 38 | the default of 30 minutes your traffic reports will have spikes. |
|---|
| 39 | |
|---|
| 40 | nm-gw# snmp-server ifindex persist |
|---|
| 41 | nm-gw# ^Z |
|---|
| 42 | nm-gw# write mem |
|---|
| 43 | |
|---|
| 44 | This enables ifIndex persistence globally. This ensures that the |
|---|
| 45 | ifIndex values are persisted during router reboots. |
|---|
| 46 | |
|---|
| 47 | Now we'll verify what we've done. |
|---|
| 48 | |
|---|
| 49 | nm-gw# show ip flow export |
|---|
| 50 | nm-gw# show ip cache flow |
|---|
| 51 | |
|---|
| 52 | See your "top talkers" across your router interfaces |
|---|
| 53 | |
|---|
| 54 | nm-gw# show ip flow top-talkers |
|---|
| 55 | |
|---|
| 56 | |
|---|
| 57 | Configure Your Collector |
|---|
| 58 | ------------------------ |
|---|
| 59 | |
|---|
| 60 | 1. Install NFdump |
|---|
| 61 | NFdump is the Netflow flow collector |
|---|
| 62 | |
|---|
| 63 | We install several additional packages that we will need a bit |
|---|
| 64 | later: |
|---|
| 65 | |
|---|
| 66 | # apt-get install rrdtool |
|---|
| 67 | # apt-get install librrds-perl |
|---|
| 68 | # apt-get install librrdp-perl |
|---|
| 69 | # apt-get install librrd-dev |
|---|
| 70 | # apt-get install mrtg |
|---|
| 71 | # apt-get install nfdump |
|---|
| 72 | |
|---|
| 73 | Or, on a single line: |
|---|
| 74 | |
|---|
| 75 | # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump |
|---|
| 76 | |
|---|
| 77 | This will install, among other things, nfcapd, nfdump, nfreplay, |
|---|
| 78 | nfexpire, nftest, nfgen |
|---|
| 79 | |
|---|
| 80 | |
|---|
| 81 | 2. Installing and Setting up NfSen (logged in as root) |
|---|
| 82 | |
|---|
| 83 | # cd /usr/local/src |
|---|
| 84 | # wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz |
|---|
| 85 | # tar xvzf nfsen-1.3.5.tar.gz |
|---|
| 86 | # cd nfsen-1.3.5 |
|---|
| 87 | # cd etc |
|---|
| 88 | # cp nfsen-dist.conf nfsen.conf |
|---|
| 89 | # joe nfsen.conf |
|---|
| 90 | |
|---|
| 91 | Set the $BASEDIR variable |
|---|
| 92 | |
|---|
| 93 | $BASEDIR="/var/nfsen"; |
|---|
| 94 | |
|---|
| 95 | Set the users appropriately so that Apache can access files: |
|---|
| 96 | |
|---|
| 97 | $WWWUSER = 'www-data'; |
|---|
| 98 | $WWWGROUP = 'www-data' |
|---|
| 99 | |
|---|
| 100 | Adjust the tools path to where items actually reside: |
|---|
| 101 | |
|---|
| 102 | # nfdump tools path |
|---|
| 103 | $PREFIX = '/usr/bin'; |
|---|
| 104 | |
|---|
| 105 | Set the buffer size to something small, so that we see data quickly |
|---|
| 106 | |
|---|
| 107 | # Receive buffer size for nfcapd - see man page nfcapd(1) |
|---|
| 108 | $BUFFLEN = 2000; |
|---|
| 109 | |
|---|
| 110 | Find the %sources definition, and change it to: |
|---|
| 111 | |
|---|
| 112 | %sources=( |
|---|
| 113 | 'gw'=>{'port'=>'2002','col'=>'#0000ff','type'=>'netflow'}, |
|---|
| 114 | ); |
|---|
| 115 | |
|---|
| 116 | Now save and exit from the file. |
|---|
| 117 | |
|---|
| 118 | |
|---|
| 119 | 3. Create the netflow user on the system |
|---|
| 120 | |
|---|
| 121 | # useradd -d /var/netflow -G www-data -m -s /bin/false netflow |
|---|
| 122 | |
|---|
| 123 | |
|---|
| 124 | 4. Initiate NfSen. Any time you make changes to nfsen.conf you will |
|---|
| 125 | have to do this step again. |
|---|
| 126 | |
|---|
| 127 | Make sure we are in the right location: |
|---|
| 128 | |
|---|
| 129 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 130 | |
|---|
| 131 | Now, finally, we install: |
|---|
| 132 | |
|---|
| 133 | # perl install.pl etc/nfsen.conf |
|---|
| 134 | |
|---|
| 135 | Start NfSen |
|---|
| 136 | |
|---|
| 137 | cd /var/nfsen/bin |
|---|
| 138 | ./nfsen start |
|---|
| 139 | |
|---|
| 140 | |
|---|
| 141 | 5. View flows via the web: |
|---|
| 142 | |
|---|
| 143 | # apt-get install php5 |
|---|
| 144 | |
|---|
| 145 | You can find the nfsen output here: |
|---|
| 146 | |
|---|
| 147 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 148 | |
|---|
| 149 | (Below is only if there are problems) |
|---|
| 150 | |
|---|
| 151 | Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable |
|---|
| 152 | $HTMLDIR that you may need to configure. By default it is set like this: |
|---|
| 153 | |
|---|
| 154 | $HTMLDIR="/var/www/nfsen/"; |
|---|
| 155 | |
|---|
| 156 | In some cases you may need to either move the nfsen directory in your web |
|---|
| 157 | structure, or update the $HTMLDIR variable for your installation. |
|---|
| 158 | |
|---|
| 159 | If you move items, then do: |
|---|
| 160 | |
|---|
| 161 | # /etc/init.d/apache2 restart |
|---|
| 162 | |
|---|
| 163 | |
|---|
| 164 | 6. Verify that flows are arriving |
|---|
| 165 | |
|---|
| 166 | Assuming that you are exporting flows from a router, or routers, to |
|---|
| 167 | your collector box on port 2002 you can check for arriving data using |
|---|
| 168 | tcpdump: |
|---|
| 169 | |
|---|
| 170 | # tcpdump -v udp port 2002 |
|---|
| 171 | |
|---|
| 172 | |
|---|
| 173 | 7. Extend your Netflow configuration (Sample Only - We won't do this) |
|---|
| 174 | |
|---|
| 175 | Go back to where you extracted your nfsen distribution. |
|---|
| 176 | |
|---|
| 177 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 178 | # vi etc/nfsen.conf |
|---|
| 179 | |
|---|
| 180 | Update your sources for new items that you migh have. |
|---|
| 181 | (Sample only!) |
|---|
| 182 | |
|---|
| 183 | %sources = ( |
|---|
| 184 | 'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' }, |
|---|
| 185 | 'lan1gw' => { 'port' => '2201','col' => '#00cc00' }, |
|---|
| 186 | 'lan3gw' => { 'port' => '2203','col' => '#000000' }, |
|---|
| 187 | 'lan4gw' => { 'port' => '2204','col' => '#ff0000' }, |
|---|
| 188 | 'nocgw' => { 'port' => '2206','col' => '#ffff00' }, |
|---|
| 189 | ); |
|---|
| 190 | |
|---|
| 191 | Save and exit from the nfsend.conf file. |
|---|
| 192 | |
|---|
| 193 | Remember, you've updated nfsen.conf so you must re-run the install |
|---|
| 194 | script: |
|---|
| 195 | |
|---|
| 196 | # perl install.pl etc/nfsen.conf |
|---|
| 197 | |
|---|
| 198 | Now start and stop nfsen: |
|---|
| 199 | |
|---|
| 200 | # /var/nfsen/bin/nfsen stop |
|---|
| 201 | # /var/nfsen/bin/nfsen start |
|---|
| 202 | |
|---|
| 203 | You can add the nfsen startup script to /etc/init.d/rc.local |
|---|
| 204 | or somewhere similar to start it at bootup.) |
|---|
| 205 | |
|---|
| 206 | |
|---|
| 207 | 8. Installing the PortTracker plugin (Optional or as reference) |
|---|
| 208 | |
|---|
| 209 | - Go the PortTracker directory in the nfsen source distribution: |
|---|
| 210 | |
|---|
| 211 | # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker |
|---|
| 212 | |
|---|
| 213 | # joe do_compile |
|---|
| 214 | |
|---|
| 215 | # path of nfdump sources |
|---|
| 216 | NFDUMP="/home/sysadmin/nfdump-1.6.2" |
|---|
| 217 | |
|---|
| 218 | # path of rrd include file rrd.h |
|---|
| 219 | RRDINCLUDE=/usr/include |
|---|
| 220 | |
|---|
| 221 | # path of rrd library |
|---|
| 222 | LIBRRD=/usr/lib |
|---|
| 223 | |
|---|
| 224 | |
|---|
| 225 | - Compile nftrack: |
|---|
| 226 | |
|---|
| 227 | # ./do_compile |
|---|
| 228 | |
|---|
| 229 | ... |
|---|
| 230 | |
|---|
| 231 | # cp nftrack /usr/local/bin/ |
|---|
| 232 | |
|---|
| 233 | - Make a directory for the nftrack data |
|---|
| 234 | |
|---|
| 235 | # mkdir -p /var/log/netflow/porttracker |
|---|
| 236 | |
|---|
| 237 | - Set the nftrack data directory in the PortTracker.pm module: |
|---|
| 238 | |
|---|
| 239 | # joe PortTracker.pm |
|---|
| 240 | |
|---|
| 241 | ... |
|---|
| 242 | |
|---|
| 243 | my $PORTSDBDIR = "/var/log/netflow/porttracker"; |
|---|
| 244 | |
|---|
| 245 | ... |
|---|
| 246 | |
|---|
| 247 | - Install the plugins into the NFSen distribution |
|---|
| 248 | |
|---|
| 249 | # cp PortTracker.pm /var/nfsen/plugins/ |
|---|
| 250 | # cp PortTracker.php /var/www/nfsen/plugins/ |
|---|
| 251 | |
|---|
| 252 | - Add the plugin definition to the nfsen.conf configuration |
|---|
| 253 | |
|---|
| 254 | # cd ~/nfsen-1.3.5 |
|---|
| 255 | # vi etc/nfsen.conf |
|---|
| 256 | |
|---|
| 257 | ... |
|---|
| 258 | |
|---|
| 259 | @plugins = ( |
|---|
| 260 | [ 'live', 'PortTracker'], |
|---|
| 261 | ); |
|---|
| 262 | |
|---|
| 263 | ... |
|---|
| 264 | |
|---|
| 265 | - Re-run the installation (answer questions) |
|---|
| 266 | |
|---|
| 267 | # perl install.pl etc/nfsen.conf |
|---|
| 268 | |
|---|
| 269 | - Initialize portracker database files |
|---|
| 270 | |
|---|
| 271 | # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker |
|---|
| 272 | |
|---|
| 273 | (This can take a LONG time! - 8 GB worth of files will be created) |
|---|
| 274 | |
|---|
| 275 | - Set the permissions so the netflow user running nfsen, and the www-data |
|---|
| 276 | user running the Web interface, can access the porttracker data: |
|---|
| 277 | |
|---|
| 278 | # chown -R netflow:www-data /var/log/netflow/porttracker |
|---|
| 279 | # chmod -R 775 /var/log/netflow/porttracker |
|---|
| 280 | |
|---|
| 281 | - Reload: |
|---|
| 282 | |
|---|
| 283 | # /var/nfsen/bin/nfsen reload |
|---|
| 284 | |
|---|
| 285 | - Check for success: |
|---|
| 286 | |
|---|
| 287 | # grep -i 'porttracker.*success' /var/log/syslog |
|---|
| 288 | Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success |
|---|
| 289 | Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success |
|---|
| 290 | |
|---|
| 291 | - Wait some minutes, and go the the nfsen GUI |
|---|
| 292 | |
|---|
| 293 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 294 | |
|---|
| 295 | ... and select the Plugins tab. |
|---|
| 296 | |
|---|
| 297 | |
|---|