Agenda: exercises-netflow.txt

File exercises-netflow.txt, 6.7 KB (added by admin, 8 years ago)

Line
1	Network Monitoring and Management
2
3	Configure Your Router to Export Flows
4	-------------------------------------
5
6	1. Export flows from a router
7
8	This is a sample only.
9
10	Our router is w, or 10.10.0.254 (classroom gateway)
11
12	Log in on the router:
13
14	# ssh USERNAME@10.10.0.254
15	gw>enable
16
17	Enter the enable password
18
19	nm-gw# configure terminal
20	nm-gw(config)# interface FastEthernet 0/0
21	nm-gw(config)# ip route-cache flow
22	nm-gw(config)# exit
23
24	Repeat for FastExthernet 0/1 (and all interfaces you may have that
25	are configured)
26
27	nm-gw# configure terminal
28	nm-gw(config)# interface FastEthernet 0/1
29	nm-gw(config)# ip route-cache flow
30	nm-gw(config)# exit
31
32	nm-gw# ip flow-export destination 10.10.0.250 9996
33	nm-gw# ip flow-export version 5
34	nm-gw# ip flow-cache timeout active 5
35
36	This breaks up long-lived flows into 5-minute fragments. You can
37	choose any number of minutes between 1 and 60. If you leave it at
38	the default of 30 minutes your traffic reports will have spikes.
39
40	nm-gw# snmp-server ifindex persist
41	nm-gw# ^Z
42	nm-gw# write mem
43
44	This enables ifIndex persistence globally. This ensures that the
45	ifIndex values are persisted during router reboots.
46
47	Now we'll verify what we've done.
48
49	nm-gw# show ip flow export
50	nm-gw# show ip cache flow
51
52	See your "top talkers" across your router interfaces
53
54	nm-gw# show ip flow top-talkers
55
56
57	Configure Your Collector
58	------------------------
59
60	1. Install NFdump
61	NFdump is the Netflow flow collector
62
63	We install several additional packages that we will need a bit
64	later:
65
66	# apt-get install rrdtool
67	# apt-get install librrds-perl
68	# apt-get install librrdp-perl
69	# apt-get install librrd-dev
70	# apt-get install mrtg
71	# apt-get install nfdump
72
73	Or, on a single line:
74
75	# apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump
76
77	This will install, among other things, nfcapd, nfdump, nfreplay,
78	nfexpire, nftest, nfgen
79
80
81	2. Installing and Setting up NfSen (logged in as root)
82
83	# cd /usr/local/src
84	# wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz
85	# tar xvzf nfsen-1.3.5.tar.gz
86	# cd nfsen-1.3.5
87	# cd etc
88	# cp nfsen-dist.conf nfsen.conf
89	# joe nfsen.conf
90
91	Set the $BASEDIR variable
92
93	$BASEDIR="/var/nfsen";
94
95	Set the users appropriately so that Apache can access files:
96
97	$WWWUSER = 'www-data';
98	$WWWGROUP = 'www-data'
99
100	Adjust the tools path to where items actually reside:
101
102	# nfdump tools path
103	$PREFIX = '/usr/bin';
104
105	Set the buffer size to something small, so that we see data quickly
106
107	# Receive buffer size for nfcapd - see man page nfcapd(1)
108	$BUFFLEN = 2000;
109
110	Find the %sources definition, and change it to:
111
112	%sources=(
113	'gw'=>{'port'=>'2002','col'=>'#0000ff','type'=>'netflow'},
114	);
115
116	Now save and exit from the file.
117
118
119	3. Create the netflow user on the system
120
121	# useradd -d /var/netflow -G www-data -m -s /bin/false netflow
122
123
124	4. Initiate NfSen. Any time you make changes to nfsen.conf you will
125	have to do this step again.
126
127	Make sure we are in the right location:
128
129	# cd /usr/local/src/nfsen-1.3.5
130
131	Now, finally, we install:
132
133	# perl install.pl etc/nfsen.conf
134
135	Start NfSen
136
137	cd /var/nfsen/bin
138	./nfsen start
139
140
141	5. View flows via the web:
142
143	# apt-get install php5
144
145	You can find the nfsen output here:
146
147	http://pcN.ws.nsrc.org/nfsen/nfsen.php
148
149	(Below is only if there are problems)
150
151	Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
152	$HTMLDIR that you may need to configure. By default it is set like this:
153
154	$HTMLDIR="/var/www/nfsen/";
155
156	In some cases you may need to either move the nfsen directory in your web
157	structure, or update the $HTMLDIR variable for your installation.
158
159	If you move items, then do:
160
161	# /etc/init.d/apache2 restart
162
163
164	6. Verify that flows are arriving
165
166	Assuming that you are exporting flows from a router, or routers, to
167	your collector box on port 2002 you can check for arriving data using
168	tcpdump:
169
170	# tcpdump -v udp port 2002
171
172
173	7. Extend your Netflow configuration (Sample Only - We won't do this)
174
175	Go back to where you extracted your nfsen distribution.
176
177	# cd /usr/local/src/nfsen-1.3.5
178	# vi etc/nfsen.conf
179
180	Update your sources for new items that you migh have.
181	(Sample only!)
182
183	%sources = (
184	'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },
185	'lan1gw' => { 'port' => '2201','col' => '#00cc00' },
186	'lan3gw' => { 'port' => '2203','col' => '#000000' },
187	'lan4gw' => { 'port' => '2204','col' => '#ff0000' },
188	'nocgw' => { 'port' => '2206','col' => '#ffff00' },
189	);
190
191	Save and exit from the nfsend.conf file.
192
193	Remember, you've updated nfsen.conf so you must re-run the install
194	script:
195
196	# perl install.pl etc/nfsen.conf
197
198	Now start and stop nfsen:
199
200	# /var/nfsen/bin/nfsen stop
201	# /var/nfsen/bin/nfsen start
202
203	You can add the nfsen startup script to /etc/init.d/rc.local
204	or somewhere similar to start it at bootup.)
205
206
207	8. Installing the PortTracker plugin (Optional or as reference)
208
209	- Go the PortTracker directory in the nfsen source distribution:
210
211	# cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
212
213	# joe do_compile
214
215	# path of nfdump sources
216	NFDUMP="/home/sysadmin/nfdump-1.6.2"
217
218	# path of rrd include file rrd.h
219	RRDINCLUDE=/usr/include
220
221	# path of rrd library
222	LIBRRD=/usr/lib
223
224
225	- Compile nftrack:
226
227	# ./do_compile
228
229	...
230
231	# cp nftrack /usr/local/bin/
232
233	- Make a directory for the nftrack data
234
235	# mkdir -p /var/log/netflow/porttracker
236
237	- Set the nftrack data directory in the PortTracker.pm module:
238
239	# joe PortTracker.pm
240
241	...
242
243	my $PORTSDBDIR = "/var/log/netflow/porttracker";
244
245	...
246
247	- Install the plugins into the NFSen distribution
248
249	# cp PortTracker.pm /var/nfsen/plugins/
250	# cp PortTracker.php /var/www/nfsen/plugins/
251
252	- Add the plugin definition to the nfsen.conf configuration
253
254	# cd ~/nfsen-1.3.5
255	# vi etc/nfsen.conf
256
257	...
258
259	@plugins = (
260	[ 'live', 'PortTracker'],
261	);
262
263	...
264
265	- Re-run the installation (answer questions)
266
267	# perl install.pl etc/nfsen.conf
268
269	- Initialize portracker database files
270
271	# sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
272
273	(This can take a LONG time! - 8 GB worth of files will be created)
274
275	- Set the permissions so the netflow user running nfsen, and the www-data
276	user running the Web interface, can access the porttracker data:
277
278	# chown -R netflow:www-data /var/log/netflow/porttracker
279	# chmod -R 775 /var/log/netflow/porttracker
280
281	- Reload:
282
283	# /var/nfsen/bin/nfsen reload
284
285	- Check for success:
286
287	# grep -i 'porttracker.*success' /var/log/syslog
288	Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
289	Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
290
291	- Wait some minutes, and go the the nfsen GUI
292
293	http://pcN.ws.nsrc.org/nfsen/nfsen.php
294
295	... and select the Plugins tab.
296
297