| 1 | Network Monitoring and Management |
|---|
| 2 | |
|---|
| 3 | Configure Your Router to Export Flows |
|---|
| 4 | ------------------------------------- |
|---|
| 5 | |
|---|
| 6 | 1. Export flows from a router |
|---|
| 7 | |
|---|
| 8 | This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to |
|---|
| 9 | the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups 1 through 9 |
|---|
| 10 | you must choose one person to type in the commands to set up router for Netflow |
|---|
| 11 | and one PC where the Netflow exports will go. IOS can unfortunately not send |
|---|
| 12 | Netflow messages to more than 1 or 2 devices, so we will use only 1 now. |
|---|
| 13 | |
|---|
| 14 | For example, if our router is rtr1, or 10.10.1.254 (Group 1 gateway): |
|---|
| 15 | |
|---|
| 16 | Log in on the router: |
|---|
| 17 | |
|---|
| 18 | # ssh cisco@10.10.1.254 |
|---|
| 19 | rtr1.ws.nsrc.org> enable |
|---|
| 20 | |
|---|
| 21 | Enter the enable password... |
|---|
| 22 | |
|---|
| 23 | Configure FastExthernet 0/0 to generate netflow: |
|---|
| 24 | |
|---|
| 25 | rtr1.ws.nsrc.org# configure terminal |
|---|
| 26 | rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0 |
|---|
| 27 | rtr1.ws.nsrc.org(config-if)# ip flow ingress |
|---|
| 28 | rtr1.ws.nsrc.org(config-if)# ip flow egress |
|---|
| 29 | rtr1.ws.nsrc.org(config-if)# exit |
|---|
| 30 | rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996 |
|---|
| 31 | rtr1.ws.nsrc.org(config)# ip flow-export version 5 |
|---|
| 32 | rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5 |
|---|
| 33 | |
|---|
| 34 | This breaks up long-lived flows into 5-minute fragments. You can |
|---|
| 35 | choose any number of minutes between 1 and 60. If you leave it at |
|---|
| 36 | the default of 30 minutes your traffic reports will have spikes. |
|---|
| 37 | |
|---|
| 38 | rtr1.ws.nsrc.org(config)# snmp-server ifindex persist |
|---|
| 39 | |
|---|
| 40 | This enables ifIndex persistence globally. This ensures that the |
|---|
| 41 | ifIndex values are persisted during router reboots. |
|---|
| 42 | |
|---|
| 43 | Now configure how you want the ip flow top-talkers to work: |
|---|
| 44 | |
|---|
| 45 | rtr1.ws.nsrc.org(config)#ip flow-top-talkers |
|---|
| 46 | rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20 |
|---|
| 47 | rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes |
|---|
| 48 | rtr1.ws.nsrc.org(config-flow-top-talkers)#end |
|---|
| 49 | |
|---|
| 50 | Now we'll verify what we've done. |
|---|
| 51 | |
|---|
| 52 | rtr1.ws.nsrc.org# show ip flow export |
|---|
| 53 | rtr1.ws.nsrc.org# show ip cache flow |
|---|
| 54 | |
|---|
| 55 | See your "top talkers" across your router interfaces |
|---|
| 56 | |
|---|
| 57 | rtr1.ws.nsrc.org# show ip flow top-talkers |
|---|
| 58 | |
|---|
| 59 | If it all looks good then write your running-config to non-volatile |
|---|
| 60 | RAM (i.e. the startup-config): |
|---|
| 61 | |
|---|
| 62 | rtr1.ws.nsrc.org#wr mem |
|---|
| 63 | |
|---|
| 64 | You can exit from the router now: |
|---|
| 65 | |
|---|
| 66 | rtr1.ws.nsrc.org#exit |
|---|
| 67 | |
|---|
| 68 | and on the machine where flows are being exported to you can verify that they |
|---|
| 69 | are arriving by doing (as root): |
|---|
| 70 | |
|---|
| 71 | # tcpdump -v udp port 9996 |
|---|
| 72 | |
|---|
| 73 | In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway |
|---|
| 74 | router to all the PCs in the classroom. You can verify that these flows are |
|---|
| 75 | arriving by typing: |
|---|
| 76 | |
|---|
| 77 | # tcpdump -v udp port 9009 |
|---|
| 78 | |
|---|
| 79 | For the exercises we'll assume you are on a PC where flows are only arriving |
|---|
| 80 | from the gateway router and we'll use the 9009 port. |
|---|
| 81 | |
|---|
| 82 | |
|---|
| 83 | Configure Your Collector |
|---|
| 84 | ------------------------ |
|---|
| 85 | |
|---|
| 86 | 1. Install NFdump |
|---|
| 87 | NFdump is the Netflow flow collector |
|---|
| 88 | |
|---|
| 89 | We install several additional packages that we will need a bit |
|---|
| 90 | later: |
|---|
| 91 | |
|---|
| 92 | Only install these if you did not already install mrtg and rrdtool: |
|---|
| 93 | |
|---|
| 94 | # apt-get install rrdtool |
|---|
| 95 | # apt-get install librrds-perl |
|---|
| 96 | # apt-get install librrdp-perl |
|---|
| 97 | # apt-get install mrtg |
|---|
| 98 | |
|---|
| 99 | If mrtg and rrdtool are already installed, then you just need these: |
|---|
| 100 | |
|---|
| 101 | # apt-get install librrd-dev |
|---|
| 102 | # apt-get install nfdump |
|---|
| 103 | |
|---|
| 104 | Or, on a single line: |
|---|
| 105 | |
|---|
| 106 | # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump |
|---|
| 107 | |
|---|
| 108 | This will install, among other things, nfcapd, nfdump, nfreplay, |
|---|
| 109 | nfexpire, nftest, nfgen |
|---|
| 110 | |
|---|
| 111 | |
|---|
| 112 | 2. Installing and Setting up NfSen (logged in as root) |
|---|
| 113 | |
|---|
| 114 | # cd /usr/local/src |
|---|
| 115 | # wget http://noc.ws.nsrc.org/downloads/nfsen-1.3.5.tar.gz |
|---|
| 116 | # tar xvzf nfsen-1.3.5.tar.gz |
|---|
| 117 | # cd nfsen-1.3.5 |
|---|
| 118 | # cd etc |
|---|
| 119 | # cp nfsen-dist.conf nfsen.conf |
|---|
| 120 | # vi nfsen.conf |
|---|
| 121 | |
|---|
| 122 | Set the $BASEDIR variable |
|---|
| 123 | |
|---|
| 124 | $BASEDIR="/var/nfsen"; |
|---|
| 125 | |
|---|
| 126 | Set the users appropriately so that Apache can access files: |
|---|
| 127 | |
|---|
| 128 | $WWWUSER = 'www-data'; |
|---|
| 129 | $WWWGROUP = 'www-data' |
|---|
| 130 | |
|---|
| 131 | Adjust the tools path to where items actually reside: |
|---|
| 132 | |
|---|
| 133 | # nfdump tools path |
|---|
| 134 | $PREFIX = '/usr/bin'; |
|---|
| 135 | |
|---|
| 136 | Set the buffer size to something small, so that we see data quickly |
|---|
| 137 | |
|---|
| 138 | # Receive buffer size for nfcapd - see man page nfcapd(1) |
|---|
| 139 | $BUFFLEN = 2000; |
|---|
| 140 | |
|---|
| 141 | Find the %sources definition, and change it to: |
|---|
| 142 | |
|---|
| 143 | %sources=( |
|---|
| 144 | 'rtrX'=>{'port'=>'9996','col'=>'#ff0000','type'=>'netflow'}, |
|---|
| 145 | 'gw'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'}, |
|---|
| 146 | ); |
|---|
| 147 | |
|---|
| 148 | Now save and exit from the file. |
|---|
| 149 | |
|---|
| 150 | |
|---|
| 151 | 3. Create the netflow user on the system |
|---|
| 152 | |
|---|
| 153 | # useradd -d /var/netflow -G www-data -m -s /bin/false netflow |
|---|
| 154 | |
|---|
| 155 | |
|---|
| 156 | 4. Initiate NfSen. Any time you make changes to nfsen.conf you will |
|---|
| 157 | have to do this step again. |
|---|
| 158 | |
|---|
| 159 | Make sure we are in the right location: |
|---|
| 160 | |
|---|
| 161 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 162 | |
|---|
| 163 | Now, finally, we install: |
|---|
| 164 | |
|---|
| 165 | # perl install.pl etc/nfsen.conf |
|---|
| 166 | |
|---|
| 167 | Start NfSen |
|---|
| 168 | |
|---|
| 169 | cd /var/nfsen/bin |
|---|
| 170 | ./nfsen start |
|---|
| 171 | |
|---|
| 172 | |
|---|
| 173 | 5. View flows via the web: |
|---|
| 174 | |
|---|
| 175 | This should not be necessary, but just in case: |
|---|
| 176 | |
|---|
| 177 | # apt-get install php5 |
|---|
| 178 | |
|---|
| 179 | You can find the nfsen output here: |
|---|
| 180 | |
|---|
| 181 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 182 | |
|---|
| 183 | (Below is only if there are problems) |
|---|
| 184 | |
|---|
| 185 | Note that in /usr/local/src/nfsen-1.3.5/etc/nfsen.conf there is a variable |
|---|
| 186 | $HTMLDIR that you may need to configure. By default it is set like this: |
|---|
| 187 | |
|---|
| 188 | $HTMLDIR="/var/www/nfsen/"; |
|---|
| 189 | |
|---|
| 190 | In some cases you may need to either move the nfsen directory in your web |
|---|
| 191 | structure, or update the $HTMLDIR variable for your installation. |
|---|
| 192 | |
|---|
| 193 | If you move items, then do: |
|---|
| 194 | |
|---|
| 195 | # /etc/init.d/apache2 restart |
|---|
| 196 | |
|---|
| 197 | |
|---|
| 198 | 6. Verify that flows are arriving |
|---|
| 199 | |
|---|
| 200 | Assuming that you are exporting flows from a router, or routers, to |
|---|
| 201 | your collector box on port 9009 you can check for arriving data using |
|---|
| 202 | tcpdump: |
|---|
| 203 | |
|---|
| 204 | # tcpdump -v udp port 9009 |
|---|
| 205 | # tcpdump -v udp port 9996 |
|---|
| 206 | |
|---|
| 207 | OPTIONAL |
|---|
| 208 | |
|---|
| 209 | |
|---|
| 210 | 7. Installing the PortTracker plugin (Optional or as reference) |
|---|
| 211 | |
|---|
| 212 | # apt-get install bison flex |
|---|
| 213 | # cd /usr/local/src |
|---|
| 214 | # wget http://noc.ws.nsrc.org/downloads/nfdump-1.6.3p1.tar.gz |
|---|
| 215 | # tar xvzf nfdump-1.6.3p1.tar.gz |
|---|
| 216 | # cd nfdump-1.6.3p1 |
|---|
| 217 | # ./configure |
|---|
| 218 | # make |
|---|
| 219 | |
|---|
| 220 | |
|---|
| 221 | |
|---|
| 222 | - Go the PortTracker directory in the nfsen source distribution: |
|---|
| 223 | |
|---|
| 224 | # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker |
|---|
| 225 | |
|---|
| 226 | # vi do_compile |
|---|
| 227 | |
|---|
| 228 | # path of nfdump sources |
|---|
| 229 | NFDUMP="/usr/local/src/nfdump-1.6.3p1" |
|---|
| 230 | |
|---|
| 231 | # path of rrd include file rrd.h |
|---|
| 232 | RRDINCLUDE=/usr/include |
|---|
| 233 | |
|---|
| 234 | # path of rrd library |
|---|
| 235 | LIBRRD=/usr/lib |
|---|
| 236 | |
|---|
| 237 | - Compile nftrack: |
|---|
| 238 | |
|---|
| 239 | # ./do_compile |
|---|
| 240 | |
|---|
| 241 | ... |
|---|
| 242 | |
|---|
| 243 | # cp nftrack /usr/local/bin/ |
|---|
| 244 | |
|---|
| 245 | - Make a directory for the nftrack data |
|---|
| 246 | |
|---|
| 247 | # mkdir -p /var/log/netflow/porttracker |
|---|
| 248 | # chown www-data /var/log/netflow/porttracker |
|---|
| 249 | |
|---|
| 250 | - Set the nftrack data directory in the PortTracker.pm module: |
|---|
| 251 | |
|---|
| 252 | # vi PortTracker.pm |
|---|
| 253 | |
|---|
| 254 | Find the line: |
|---|
| 255 | |
|---|
| 256 | my $PORTSDBDIR = "/data/ports-db"; |
|---|
| 257 | |
|---|
| 258 | and change it to: |
|---|
| 259 | |
|---|
| 260 | my $PORTSDBDIR = "/var/log/netflow/porttracker"; |
|---|
| 261 | |
|---|
| 262 | ... |
|---|
| 263 | |
|---|
| 264 | - Install the plugins into the NFSen distribution |
|---|
| 265 | |
|---|
| 266 | # cp PortTracker.pm /var/nfsen/plugins/ |
|---|
| 267 | # cp PortTracker.php /var/www/nfsen/plugins/ |
|---|
| 268 | |
|---|
| 269 | - Add the plugin definition to the nfsen.conf configuration |
|---|
| 270 | |
|---|
| 271 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 272 | # vi etc/nfsen.conf |
|---|
| 273 | |
|---|
| 274 | Find the plugins section and make it look like this: |
|---|
| 275 | |
|---|
| 276 | @plugins = ( |
|---|
| 277 | [ 'live', 'PortTracker'], |
|---|
| 278 | ); |
|---|
| 279 | |
|---|
| 280 | ... |
|---|
| 281 | |
|---|
| 282 | - Re-run the installation (answer questions) |
|---|
| 283 | |
|---|
| 284 | # perl install.pl etc/nfsen.conf |
|---|
| 285 | |
|---|
| 286 | - Initialize portracker database files |
|---|
| 287 | |
|---|
| 288 | # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker |
|---|
| 289 | |
|---|
| 290 | (This can take a LONG time! - 8 GB worth of files will be created) |
|---|
| 291 | |
|---|
| 292 | - Set the permissions so the netflow user running nfsen, and the www-data |
|---|
| 293 | user running the Web interface, can access the porttracker data: |
|---|
| 294 | |
|---|
| 295 | # chown -R netflow:www-data /var/log/netflow/porttracker |
|---|
| 296 | # chmod -R 775 /var/log/netflow/porttracker |
|---|
| 297 | |
|---|
| 298 | - Reload: |
|---|
| 299 | |
|---|
| 300 | # /var/nfsen/bin/nfsen reload |
|---|
| 301 | |
|---|
| 302 | - Check for success: |
|---|
| 303 | |
|---|
| 304 | # grep -i 'porttracker.*success' /var/log/syslog |
|---|
| 305 | Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success |
|---|
| 306 | Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success |
|---|
| 307 | |
|---|
| 308 | - Wait some minutes, and go the the nfsen GUI |
|---|
| 309 | |
|---|
| 310 | http://pcN.ws.nsrc.org/nfsen/nfsen.php |
|---|
| 311 | |
|---|
| 312 | ... and select the Plugins tab. |
|---|
| 313 | |
|---|
| 314 | |
|---|
| 315 | 8. If you wanted to add more sources... |
|---|
| 316 | |
|---|
| 317 | Go back to where you extracted your nfsen distribution. |
|---|
| 318 | |
|---|
| 319 | # cd /usr/local/src/nfsen-1.3.5 |
|---|
| 320 | # vi etc/nfsen.conf |
|---|
| 321 | |
|---|
| 322 | Update your sources for new items that you migh have. |
|---|
| 323 | (Sample only!) |
|---|
| 324 | |
|---|
| 325 | %sources = ( |
|---|
| 326 | 'rtr' => {'port' => '9000', 'col' => 'e4e4e4' }, |
|---|
| 327 | 'rtr2' => { 'port' => '9001', 'col' => '#0000ff' }, |
|---|
| 328 | 'rtr3' => { 'port' => '9002','col' => '#00cc00' }, |
|---|
| 329 | 'rtr4' => { 'port' => '9003','col' => '#000000' }, |
|---|
| 330 | 'rtr5' => { 'port' => '9004','col' => '#ff0000' }, |
|---|
| 331 | 'rtr6' => { 'port' => '9005','col' => '#ffff00' }, |
|---|
| 332 | ); |
|---|
| 333 | |
|---|
| 334 | Save and exit from the nfsend.conf file. |
|---|
| 335 | |
|---|
| 336 | Remember, you've updated nfsen.conf so you must re-run the install |
|---|
| 337 | script: |
|---|
| 338 | |
|---|
| 339 | # perl install.pl etc/nfsen.conf |
|---|
| 340 | |
|---|
| 341 | Now start and stop nfsen: |
|---|
| 342 | |
|---|
| 343 | # /var/nfsen/bin/nfsen stop |
|---|
| 344 | # /var/nfsen/bin/nfsen start |
|---|
| 345 | |
|---|
| 346 | You can add the nfsen startup script to /etc/init.d/rc.local |
|---|
| 347 | or somewhere similar to start it at bootup.) |
|---|
| 348 | |
|---|
| 349 | |
|---|