1 | Network Monitoring and Management |
---|
2 | |
---|
3 | Configure Your Router to Export Flows |
---|
4 | ------------------------------------- |
---|
5 | |
---|
6 | 1. Export flows from a router |
---|
7 | |
---|
8 | This is a sample only. |
---|
9 | |
---|
10 | Our router is w, or 10.10.0.254 (classroom gateway) |
---|
11 | |
---|
12 | Log in on the router: |
---|
13 | |
---|
14 | # ssh USERNAME@10.10.0.254 |
---|
15 | gw>enable |
---|
16 | |
---|
17 | Enter the enable password |
---|
18 | |
---|
19 | nm-gw# configure terminal |
---|
20 | nm-gw(config)# interface FastEthernet 0/0 |
---|
21 | nm-gw(config)# ip route-cache flow |
---|
22 | nm-gw(config)# exit |
---|
23 | |
---|
24 | Repeat for FastExthernet 0/1 (and all interfaces you may have that |
---|
25 | are configured) |
---|
26 | |
---|
27 | nm-gw# configure terminal |
---|
28 | nm-gw(config)# interface FastEthernet 0/1 |
---|
29 | nm-gw(config)# ip route-cache flow |
---|
30 | nm-gw(config)# exit |
---|
31 | |
---|
32 | nm-gw# ip flow-export destination 10.10.0.250 9996 |
---|
33 | nm-gw# ip flow-export version 5 |
---|
34 | nm-gw# ip flow-cache timeout active 5 |
---|
35 | |
---|
36 | This breaks up long-lived flows into 5-minute fragments. You can |
---|
37 | choose any number of minutes between 1 and 60. If you leave it at |
---|
38 | the default of 30 minutes your traffic reports will have spikes. |
---|
39 | |
---|
40 | nm-gw# snmp-server ifindex persist |
---|
41 | nm-gw# ^Z |
---|
42 | nm-gw# write mem |
---|
43 | |
---|
44 | This enables ifIndex persistence globally. This ensures that the |
---|
45 | ifIndex values are persisted during router reboots. |
---|
46 | |
---|
47 | Now we'll verify what we've done. |
---|
48 | |
---|
49 | nm-gw# show ip flow export |
---|
50 | nm-gw# show ip cache flow |
---|
51 | |
---|
52 | See your "top talkers" across your router interfaces |
---|
53 | |
---|
54 | nm-gw# show ip flow top-talkers |
---|
55 | |
---|
56 | |
---|
57 | Configure Your Collector |
---|
58 | ------------------------ |
---|
59 | |
---|
60 | 1. Install NFdump |
---|
61 | NFdump is the Netflow flow collector |
---|
62 | |
---|
63 | We install several additional packages that we will need a bit |
---|
64 | later: |
---|
65 | |
---|
66 | # apt-get install rrdtool |
---|
67 | # apt-get install librrds-perl |
---|
68 | # apt-get install librrdp-perl |
---|
69 | # apt-get install librrd-dev |
---|
70 | # apt-get install mrtg |
---|
71 | # apt-get install nfdump |
---|
72 | |
---|
73 | Or, on a single line: |
---|
74 | |
---|
75 | # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump |
---|
76 | |
---|
77 | This will install, among other things, nfcapd, nfdump, nfreplay, |
---|
78 | nfexpire, nftest, nfgen |
---|
79 | |
---|
80 | |
---|
81 | 2. Installing and Setting up NfSen (logged in as root) |
---|
82 | |
---|
83 | # cd /usr/local/src |
---|
84 | # wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz |
---|
85 | # tar xvzf nfsen-1.3.5.tar.gz |
---|
86 | # cd nfsen-1.3.5 |
---|
87 | # cd etc |
---|
88 | # cp nfsen-dist.conf nfsen.conf |
---|
89 | # joe nfsen.conf |
---|
90 | |
---|
91 | Set the $BASEDIR variable |
---|
92 | |
---|
93 | $BASEDIR="/var/nfsen"; |
---|
94 | |
---|
95 | Set the users appropriately so that Apache can access files: |
---|
96 | |
---|
97 | $WWWUSER = 'www-data'; |
---|
98 | $WWWGROUP = 'www-data' |
---|
99 | |
---|
100 | Adjust the tools path to where items actually reside: |
---|
101 | |
---|
102 | # nfdump tools path |
---|
103 | $PREFIX = '/usr/bin'; |
---|
104 | |
---|
105 | Set the buffer size to something small, so that we see data quickly |
---|
106 | |
---|
107 | # Receive buffer size for nfcapd - see man page nfcapd(1) |
---|
108 | $BUFFLEN = 2000; |
---|
109 | |
---|
110 | Find the %sources definition, and change it to: |
---|
111 | |
---|
112 | %sources=( |
---|
113 | 'gw'=>{'port'=>'2002','col'=>'#0000ff','type'=>'netflow'}, |
---|
114 | ); |
---|
115 | |
---|
116 | Now save and exit from the file. |
---|
117 | |
---|
118 | |
---|
119 | 3. Create the netflow user on the system |
---|
120 | |
---|
121 | # useradd -d /var/netflow -G www-data -m -s /bin/false netflow |
---|
122 | |
---|
123 | |
---|
124 | 4. Initiate NfSen. Any time you make changes to nfsen.conf you will |
---|
125 | have to do this step again. |
---|
126 | |
---|
127 | Make sure we are in the right location: |
---|
128 | |
---|
129 | # cd /usr/local/src/nfsen-1.3.5 |
---|
130 | |
---|
131 | Now, finally, we install: |
---|
132 | |
---|
133 | # perl install.pl etc/nfsen.conf |
---|
134 | |
---|
135 | Start NfSen |
---|
136 | |
---|
137 | cd /var/nfsen/bin |
---|
138 | ./nfsen start |
---|
139 | |
---|
140 | |
---|
141 | 5. View flows via the web: |
---|
142 | |
---|
143 | # apt-get install php5 |
---|
144 | |
---|
145 | You can find the nfsen output here: |
---|
146 | |
---|
147 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
---|
148 | |
---|
149 | (Below is only if there are problems) |
---|
150 | |
---|
151 | Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable |
---|
152 | $HTMLDIR that you may need to configure. By default it is set like this: |
---|
153 | |
---|
154 | $HTMLDIR="/var/www/nfsen/"; |
---|
155 | |
---|
156 | In some cases you may need to either move the nfsen directory in your web |
---|
157 | structure, or update the $HTMLDIR variable for your installation. |
---|
158 | |
---|
159 | If you move items, then do: |
---|
160 | |
---|
161 | # /etc/init.d/apache2 restart |
---|
162 | |
---|
163 | |
---|
164 | 6. Verify that flows are arriving |
---|
165 | |
---|
166 | Assuming that you are exporting flows from a router, or routers, to |
---|
167 | your collector box on port 2002 you can check for arriving data using |
---|
168 | tcpdump: |
---|
169 | |
---|
170 | # tcpdump -v udp port 2002 |
---|
171 | |
---|
172 | |
---|
173 | 7. Extend your Netflow configuration (Sample Only - We won't do this) |
---|
174 | |
---|
175 | Go back to where you extracted your nfsen distribution. |
---|
176 | |
---|
177 | # cd /usr/local/src/nfsen-1.3.5 |
---|
178 | # vi etc/nfsen.conf |
---|
179 | |
---|
180 | Update your sources for new items that you migh have. |
---|
181 | (Sample only!) |
---|
182 | |
---|
183 | %sources = ( |
---|
184 | 'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' }, |
---|
185 | 'lan1gw' => { 'port' => '2201','col' => '#00cc00' }, |
---|
186 | 'lan3gw' => { 'port' => '2203','col' => '#000000' }, |
---|
187 | 'lan4gw' => { 'port' => '2204','col' => '#ff0000' }, |
---|
188 | 'nocgw' => { 'port' => '2206','col' => '#ffff00' }, |
---|
189 | ); |
---|
190 | |
---|
191 | Save and exit from the nfsend.conf file. |
---|
192 | |
---|
193 | Remember, you've updated nfsen.conf so you must re-run the install |
---|
194 | script: |
---|
195 | |
---|
196 | # perl install.pl etc/nfsen.conf |
---|
197 | |
---|
198 | Now start and stop nfsen: |
---|
199 | |
---|
200 | # /var/nfsen/bin/nfsen stop |
---|
201 | # /var/nfsen/bin/nfsen start |
---|
202 | |
---|
203 | You can add the nfsen startup script to /etc/init.d/rc.local |
---|
204 | or somewhere similar to start it at bootup.) |
---|
205 | |
---|
206 | |
---|
207 | 8. Installing the PortTracker plugin (Optional or as reference) |
---|
208 | |
---|
209 | - Go the PortTracker directory in the nfsen source distribution: |
---|
210 | |
---|
211 | # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker |
---|
212 | |
---|
213 | # joe do_compile |
---|
214 | |
---|
215 | # path of nfdump sources |
---|
216 | NFDUMP="/home/sysadmin/nfdump-1.6.2" |
---|
217 | |
---|
218 | # path of rrd include file rrd.h |
---|
219 | RRDINCLUDE=/usr/include |
---|
220 | |
---|
221 | # path of rrd library |
---|
222 | LIBRRD=/usr/lib |
---|
223 | |
---|
224 | |
---|
225 | - Compile nftrack: |
---|
226 | |
---|
227 | # ./do_compile |
---|
228 | |
---|
229 | ... |
---|
230 | |
---|
231 | # cp nftrack /usr/local/bin/ |
---|
232 | |
---|
233 | - Make a directory for the nftrack data |
---|
234 | |
---|
235 | # mkdir -p /var/log/netflow/porttracker |
---|
236 | |
---|
237 | - Set the nftrack data directory in the PortTracker.pm module: |
---|
238 | |
---|
239 | # joe PortTracker.pm |
---|
240 | |
---|
241 | ... |
---|
242 | |
---|
243 | my $PORTSDBDIR = "/var/log/netflow/porttracker"; |
---|
244 | |
---|
245 | ... |
---|
246 | |
---|
247 | - Install the plugins into the NFSen distribution |
---|
248 | |
---|
249 | # cp PortTracker.pm /var/nfsen/plugins/ |
---|
250 | # cp PortTracker.php /var/www/nfsen/plugins/ |
---|
251 | |
---|
252 | - Add the plugin definition to the nfsen.conf configuration |
---|
253 | |
---|
254 | # cd ~/nfsen-1.3.5 |
---|
255 | # vi etc/nfsen.conf |
---|
256 | |
---|
257 | ... |
---|
258 | |
---|
259 | @plugins = ( |
---|
260 | [ 'live', 'PortTracker'], |
---|
261 | ); |
---|
262 | |
---|
263 | ... |
---|
264 | |
---|
265 | - Re-run the installation (answer questions) |
---|
266 | |
---|
267 | # perl install.pl etc/nfsen.conf |
---|
268 | |
---|
269 | - Initialize portracker database files |
---|
270 | |
---|
271 | # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker |
---|
272 | |
---|
273 | (This can take a LONG time! - 8 GB worth of files will be created) |
---|
274 | |
---|
275 | - Set the permissions so the netflow user running nfsen, and the www-data |
---|
276 | user running the Web interface, can access the porttracker data: |
---|
277 | |
---|
278 | # chown -R netflow:www-data /var/log/netflow/porttracker |
---|
279 | # chmod -R 775 /var/log/netflow/porttracker |
---|
280 | |
---|
281 | - Reload: |
---|
282 | |
---|
283 | # /var/nfsen/bin/nfsen reload |
---|
284 | |
---|
285 | - Check for success: |
---|
286 | |
---|
287 | # grep -i 'porttracker.*success' /var/log/syslog |
---|
288 | Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success |
---|
289 | Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success |
---|
290 | |
---|
291 | - Wait some minutes, and go the the nfsen GUI |
---|
292 | |
---|
293 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
---|
294 | |
---|
295 | ... and select the Plugins tab. |
---|
296 | |
---|
297 | |
---|