Network Monitoring and Management

Configure Your Router to Export Flows
-------------------------------------

1. Export flows from a router

This is a sample only.

Our router is w, or 10.10.0.254 (classroom gateway)

Log in on the router:

   # ssh USERNAME@10.10.0.254
   gw>enable

Enter the enable password

   nm-gw# configure terminal
   nm-gw(config)# interface FastEthernet 0/0
   nm-gw(config)# ip route-cache flow
   nm-gw(config)# exit

Repeat for FastExthernet 0/1 (and all interfaces you may have that
are configured)

   nm-gw# configure terminal
   nm-gw(config)# interface FastEthernet 0/1
   nm-gw(config)# ip route-cache flow
   nm-gw(config)# exit   

   nm-gw# ip flow-export destination 10.10.0.250 9996
   nm-gw# ip flow-export version 5
   nm-gw# ip flow-cache timeout active 5

This breaks up long-lived flows into 5-minute fragments. You can 
choose any number of minutes between 1 and 60. If you leave it at 
the default of 30 minutes your traffic reports will have spikes.

   nm-gw# snmp-server ifindex persist
   nm-gw# ^Z
   nm-gw# write mem

This enables ifIndex persistence globally. This ensures that the 
ifIndex values are persisted during router reboots.

Now we'll verify what we've done.

   nm-gw# show ip flow export
   nm-gw# show ip cache flow

See your "top talkers" across your router interfaces

   nm-gw# show ip flow top-talkers


Configure Your Collector
------------------------

1. Install NFdump
   NFdump is the Netflow flow collector

   We install several additional packages that we will need a bit 
   later:

   # apt-get install rrdtool
   # apt-get install librrds-perl
   # apt-get install librrdp-perl  
   # apt-get install librrd-dev
   # apt-get install mrtg
   # apt-get install nfdump

Or, on a single line:

   # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump

   This will install, among other things, nfcapd, nfdump, nfreplay, 
   nfexpire, nftest, nfgen


2. Installing and Setting up NfSen (logged in as root)

   # cd /usr/local/src 
   # wget http://freefr.dl.sourceforge.net/project/nfsen/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz
   # tar xvzf nfsen-1.3.5.tar.gz
   # cd nfsen-1.3.5
   # cd etc
   # cp nfsen-dist.conf nfsen.conf
   # joe nfsen.conf

Set the $BASEDIR variable

   $BASEDIR="/var/nfsen";

Set the users appropriately so that Apache can access files:

   $WWWUSER = 'www-data';
   $WWWGROUP = 'www-data'   

Adjust the tools path to where items actually reside:

# nfdump tools path
$PREFIX = '/usr/bin';

Set the buffer size to something small, so that we see data quickly

# Receive buffer size for nfcapd - see man page nfcapd(1)
$BUFFLEN = 2000;

Find the %sources definition, and change it to:

   %sources=(
   'gw'=>{'port'=>'2002','col'=>'#0000ff','type'=>'netflow'},
   );				   

Now save and exit from the file.


3. Create the netflow user on the system

   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow


4. Initiate NfSen. Any time you make changes to nfsen.conf you will 
   have to do this step again.

Make sure we are in the right location:

   # cd /usr/local/src/nfsen-1.3.5

Now, finally, we install:

   # perl install.pl etc/nfsen.conf

Start NfSen

cd /var/nfsen/bin
./nfsen start


5. View flows via the web:

   # apt-get install php5
   
You can find the nfsen output here:

   http://pcN.ws.nsrc.org/nfsen/nfsen.php

(Below is only if there are problems)

Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
$HTMLDIR that you may need to configure. By default it is set like this:

   $HTMLDIR="/var/www/nfsen/";

In some cases you may need to either move the nfsen directory in your web 
structure, or update the $HTMLDIR variable for your installation.

If you move items, then do:

   # /etc/init.d/apache2 restart


6. Verify that flows are arriving

Assuming that you are exporting flows from a router, or routers, to 
your collector box on port 2002 you can check for arriving data using
tcpdump:

   # tcpdump -v udp port 2002


7. Extend your Netflow configuration (Sample Only - We won't do this)

Go back to where you extracted your nfsen distribution.

   # cd /usr/local/src/nfsen-1.3.5
   # vi etc/nfsen.conf

Update your sources for new items that you migh have.
(Sample only!)

	%sources = (
	'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },
	'lan1gw' => { 'port' => '2201','col' => '#00cc00' },
	'lan3gw' => { 'port' => '2203','col' => '#000000' },
	'lan4gw' => { 'port' => '2204','col' => '#ff0000' },
	'nocgw' => { 'port' => '2206','col' => '#ffff00' },
	);

Save and exit from the nfsend.conf file.

Remember, you've updated nfsen.conf so you must re-run the install
script:

   # perl install.pl etc/nfsen.conf

Now start and stop nfsen:

   # /var/nfsen/bin/nfsen stop
   # /var/nfsen/bin/nfsen start

You can add the nfsen startup script to /etc/init.d/rc.local 
or somewhere similar to start it at bootup.)


8. Installing the PortTracker plugin (Optional or as reference)

- Go the PortTracker directory in the nfsen source distribution:

   # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker

   # joe do_compile

      # path of nfdump sources
      NFDUMP="/home/sysadmin/nfdump-1.6.2"

      # path of rrd include file rrd.h
      RRDINCLUDE=/usr/include

      # path of rrd library 
      LIBRRD=/usr/lib


- Compile nftrack:

   # ./do_compile

...

   # cp nftrack /usr/local/bin/

- Make a directory for the nftrack data

   # mkdir -p /var/log/netflow/porttracker

- Set the nftrack data directory in the PortTracker.pm module:

   # joe PortTracker.pm

    ...

       my $PORTSDBDIR = "/var/log/netflow/porttracker";

    ...

- Install the plugins into the NFSen distribution

   # cp PortTracker.pm /var/nfsen/plugins/
   # cp PortTracker.php /var/www/nfsen/plugins/

- Add the plugin definition to the nfsen.conf configuration

   # cd ~/nfsen-1.3.5
   # vi etc/nfsen.conf

    ...

       @plugins = (
           [ 'live',   'PortTracker'],
       ); 

    ...

- Re-run the installation (answer questions)

   # perl install.pl etc/nfsen.conf

- Initialize portracker database files

   # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker

    (This can take a LONG time! - 8 GB worth of files will be created)

- Set the permissions so the netflow user running nfsen, and the www-data
  user running the Web interface, can access the porttracker data:

   # chown -R netflow:www-data /var/log/netflow/porttracker
   # chmod -R 775 /var/log/netflow/porttracker

- Reload:

   # /var/nfsen/bin/nfsen reload

- Check for success:

   # grep -i 'porttracker.*success' /var/log/syslog
Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success

- Wait some minutes, and go the the nfsen GUI

    http://pcN.ws.nsrc.org/nfsen/nfsen.php

... and select the Plugins tab.