Agenda: exercises-netflow.txt

File exercises-netflow.txt, 6.7 KB (added by admin, 8 years ago)
Line 
1Network Monitoring and Management
2
3Configure Your Router to Export Flows
4-------------------------------------
5
61. Export flows from a router
7
8This is a sample only.
9
10Our router is w, or 10.10.0.254 (classroom gateway)
11
12Log in on the router:
13
14   # ssh USERNAME@10.10.0.254
15   gw>enable
16
17Enter the enable password
18
19   nm-gw# configure terminal
20   nm-gw(config)# interface FastEthernet 0/0
21   nm-gw(config)# ip route-cache flow
22   nm-gw(config)# exit
23
24Repeat for FastExthernet 0/1 (and all interfaces you may have that
25are configured)
26
27   nm-gw# configure terminal
28   nm-gw(config)# interface FastEthernet 0/1
29   nm-gw(config)# ip route-cache flow
30   nm-gw(config)# exit   
31
32   nm-gw# ip flow-export destination 10.10.0.250 9996
33   nm-gw# ip flow-export version 5
34   nm-gw# ip flow-cache timeout active 5
35
36This breaks up long-lived flows into 5-minute fragments. You can
37choose any number of minutes between 1 and 60. If you leave it at
38the default of 30 minutes your traffic reports will have spikes.
39
40   nm-gw# snmp-server ifindex persist
41   nm-gw# ^Z
42   nm-gw# write mem
43
44This enables ifIndex persistence globally. This ensures that the
45ifIndex values are persisted during router reboots.
46
47Now we'll verify what we've done.
48
49   nm-gw# show ip flow export
50   nm-gw# show ip cache flow
51
52See your "top talkers" across your router interfaces
53
54   nm-gw# show ip flow top-talkers
55
56
57Configure Your Collector
58------------------------
59
601. Install NFdump
61   NFdump is the Netflow flow collector
62
63   We install several additional packages that we will need a bit
64   later:
65
66   # apt-get install rrdtool
67   # apt-get install librrds-perl
68   # apt-get install librrdp-perl 
69   # apt-get install librrd-dev
70   # apt-get install mrtg
71   # apt-get install nfdump
72
73Or, on a single line:
74
75   # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump
76
77   This will install, among other things, nfcapd, nfdump, nfreplay,
78   nfexpire, nftest, nfgen
79
80
812. Installing and Setting up NfSen (logged in as root)
82
83   # cd /usr/local/src
84   # wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz
85   # tar xvzf nfsen-1.3.5.tar.gz
86   # cd nfsen-1.3.5
87   # cd etc
88   # cp nfsen-dist.conf nfsen.conf
89   # joe nfsen.conf
90
91Set the $BASEDIR variable
92
93   $BASEDIR="/var/nfsen";
94
95Set the users appropriately so that Apache can access files:
96
97   $WWWUSER = 'www-data';
98   $WWWGROUP = 'www-data'   
99
100Adjust the tools path to where items actually reside:
101
102# nfdump tools path
103$PREFIX = '/usr/bin';
104
105Set the buffer size to something small, so that we see data quickly
106
107# Receive buffer size for nfcapd - see man page nfcapd(1)
108$BUFFLEN = 2000;
109
110Find the %sources definition, and change it to:
111
112   %sources=(
113   'gw'=>{'port'=>'2002','col'=>'#0000ff','type'=>'netflow'},
114   );                             
115
116Now save and exit from the file.
117
118
1193. Create the netflow user on the system
120
121   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow
122
123
1244. Initiate NfSen. Any time you make changes to nfsen.conf you will
125   have to do this step again.
126
127Make sure we are in the right location:
128
129   # cd /usr/local/src/nfsen-1.3.5
130
131Now, finally, we install:
132
133   # perl install.pl etc/nfsen.conf
134
135Start NfSen
136
137cd /var/nfsen/bin
138./nfsen start
139
140
1415. View flows via the web:
142
143   # apt-get install php5
144   
145You can find the nfsen output here:
146
147   http://pcN.ws.nsrc.org/nfsen/nfsen.php
148
149(Below is only if there are problems)
150
151Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
152$HTMLDIR that you may need to configure. By default it is set like this:
153
154   $HTMLDIR="/var/www/nfsen/";
155
156In some cases you may need to either move the nfsen directory in your web
157structure, or update the $HTMLDIR variable for your installation.
158
159If you move items, then do:
160
161   # /etc/init.d/apache2 restart
162
163
1646. Verify that flows are arriving
165
166Assuming that you are exporting flows from a router, or routers, to
167your collector box on port 2002 you can check for arriving data using
168tcpdump:
169
170   # tcpdump -v udp port 2002
171
172
1737. Extend your Netflow configuration (Sample Only - We won't do this)
174
175Go back to where you extracted your nfsen distribution.
176
177   # cd /usr/local/src/nfsen-1.3.5
178   # vi etc/nfsen.conf
179
180Update your sources for new items that you migh have.
181(Sample only!)
182
183        %sources = (
184        'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },
185        'lan1gw' => { 'port' => '2201','col' => '#00cc00' },
186        'lan3gw' => { 'port' => '2203','col' => '#000000' },
187        'lan4gw' => { 'port' => '2204','col' => '#ff0000' },
188        'nocgw' => { 'port' => '2206','col' => '#ffff00' },
189        );
190
191Save and exit from the nfsend.conf file.
192
193Remember, you've updated nfsen.conf so you must re-run the install
194script:
195
196   # perl install.pl etc/nfsen.conf
197
198Now start and stop nfsen:
199
200   # /var/nfsen/bin/nfsen stop
201   # /var/nfsen/bin/nfsen start
202
203You can add the nfsen startup script to /etc/init.d/rc.local
204or somewhere similar to start it at bootup.)
205
206
2078. Installing the PortTracker plugin (Optional or as reference)
208
209- Go the PortTracker directory in the nfsen source distribution:
210
211   # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
212
213   # joe do_compile
214
215      # path of nfdump sources
216      NFDUMP="/home/sysadmin/nfdump-1.6.2"
217
218      # path of rrd include file rrd.h
219      RRDINCLUDE=/usr/include
220
221      # path of rrd library
222      LIBRRD=/usr/lib
223
224
225- Compile nftrack:
226
227   # ./do_compile
228
229...
230
231   # cp nftrack /usr/local/bin/
232
233- Make a directory for the nftrack data
234
235   # mkdir -p /var/log/netflow/porttracker
236
237- Set the nftrack data directory in the PortTracker.pm module:
238
239   # joe PortTracker.pm
240
241    ...
242
243       my $PORTSDBDIR = "/var/log/netflow/porttracker";
244
245    ...
246
247- Install the plugins into the NFSen distribution
248
249   # cp PortTracker.pm /var/nfsen/plugins/
250   # cp PortTracker.php /var/www/nfsen/plugins/
251
252- Add the plugin definition to the nfsen.conf configuration
253
254   # cd ~/nfsen-1.3.5
255   # vi etc/nfsen.conf
256
257    ...
258
259       @plugins = (
260           [ 'live',   'PortTracker'],
261       );
262
263    ...
264
265- Re-run the installation (answer questions)
266
267   # perl install.pl etc/nfsen.conf
268
269- Initialize portracker database files
270
271   # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
272
273    (This can take a LONG time! - 8 GB worth of files will be created)
274
275- Set the permissions so the netflow user running nfsen, and the www-data
276  user running the Web interface, can access the porttracker data:
277
278   # chown -R netflow:www-data /var/log/netflow/porttracker
279   # chmod -R 775 /var/log/netflow/porttracker
280
281- Reload:
282
283   # /var/nfsen/bin/nfsen reload
284
285- Check for success:
286
287   # grep -i 'porttracker.*success' /var/log/syslog
288Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
289Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
290
291- Wait some minutes, and go the the nfsen GUI
292
293    http://pcN.ws.nsrc.org/nfsen/nfsen.php
294
295... and select the Plugins tab.
296
297