Agenda: exercises-netflow-nfsen.txt

File exercises-netflow-nfsen.txt, 8.7 KB (added by admin, 8 years ago)
Line 
1Network Monitoring and Management
2
3Configure Your Router to Export Flows
4-------------------------------------
5
61. Export flows from a router
7
8This is a sample for doing this from the Group 1 router, rtr1.ws.nsrc.org to
9the PC named pc1.ws.nsrc.org or 10.10.1.1. In each of your groups 1 through 9
10you must choose one person to type in the commands to set up router for Netflow
11and one PC where the Netflow exports will go.  IOS can unfortunately not send
12Netflow messages to more than 1 or 2 devices, so we will use only 1 now.
13
14For example, if our router is rtr1, or 10.10.1.254 (Group 1 gateway):
15
16Log in on the router:
17
18   # ssh cisco@10.10.1.254
19   rtr1.ws.nsrc.org> enable
20
21Enter the enable password...
22
23Configure FastExthernet 0/0 to generate netflow:
24
25   rtr1.ws.nsrc.org# configure terminal
26   rtr1.ws.nsrc.org(config)# interface FastEthernet 0/0
27   rtr1.ws.nsrc.org(config-if)# ip flow ingress
28   rtr1.ws.nsrc.org(config-if)# ip flow egress
29   rtr1.ws.nsrc.org(config-if)# exit
30   rtr1.ws.nsrc.org(config)# ip flow-export destination 10.10.1.1 9996
31   rtr1.ws.nsrc.org(config)# ip flow-export version 5
32   rtr1.ws.nsrc.org(config)# ip flow-cache timeout active 5
33
34This breaks up long-lived flows into 5-minute fragments. You can
35choose any number of minutes between 1 and 60. If you leave it at
36the default of 30 minutes your traffic reports will have spikes.
37
38   rtr1.ws.nsrc.org(config)# snmp-server ifindex persist
39
40This enables ifIndex persistence globally. This ensures that the
41ifIndex values are persisted during router reboots.
42
43Now configure how you want the ip flow top-talkers to work:
44
45   rtr1.ws.nsrc.org(config)#ip flow-top-talkers
46   rtr1.ws.nsrc.org(config-flow-top-talkers)#top 20
47   rtr1.ws.nsrc.org(config-flow-top-talkers)#sort-by bytes
48   rtr1.ws.nsrc.org(config-flow-top-talkers)#end
49 
50Now we'll verify what we've done.
51
52   rtr1.ws.nsrc.org# show ip flow export
53   rtr1.ws.nsrc.org# show ip cache flow
54
55See your "top talkers" across your router interfaces
56
57   rtr1.ws.nsrc.org# show ip flow top-talkers
58
59If it all looks good then write your running-config to non-volatile
60RAM (i.e. the startup-config):
61
62   rtr1.ws.nsrc.org#wr mem
63   
64You can exit from the router now:
65
66   rtr1.ws.nsrc.org#exit
67   
68and on the machine where flows are being exported to you can verify that they
69are arriving by doing (as root):
70
71        # tcpdump -v udp port 9996
72
73In addition (_PLEASE NOTE_) we are re-exporting NetFlow data from the gateway
74router to all the PCs in the classroom. You can verify that these flows are
75arriving by typing:
76
77        # tcpdump -v udp port 9009
78       
79For the exercises we'll assume you are on a PC where flows are only arriving
80from the gateway router and we'll use the 9009 port.
81
82
83Configure Your Collector
84------------------------
85
861. Install NFdump
87   NFdump is the Netflow flow collector
88
89   We install several additional packages that we will need a bit
90   later:
91
92Only install these if you did not already install mrtg and rrdtool:
93
94   # apt-get install rrdtool
95   # apt-get install librrds-perl
96   # apt-get install librrdp-perl
97   # apt-get install mrtg
98
99If mrtg and rrdtool are already installed, then you just need these:
100 
101   # apt-get install librrd-dev
102   # apt-get install nfdump
103
104Or, on a single line:
105
106   # apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev nfdump
107
108   This will install, among other things, nfcapd, nfdump, nfreplay,
109   nfexpire, nftest, nfgen
110
111
1122. Installing and Setting up NfSen (logged in as root)
113
114   # cd /usr/local/src
115   # wget http://noc.ws.nsrc.org/downloads/nfsen-1.3.5.tar.gz
116   # tar xvzf nfsen-1.3.5.tar.gz
117   # cd nfsen-1.3.5
118   # cd etc
119   # cp nfsen-dist.conf nfsen.conf
120   # vi nfsen.conf
121
122Set the $BASEDIR variable
123
124   $BASEDIR="/var/nfsen";
125
126Set the users appropriately so that Apache can access files:
127
128   $WWWUSER = 'www-data';
129   $WWWGROUP = 'www-data'   
130
131Adjust the tools path to where items actually reside:
132
133        # nfdump tools path
134        $PREFIX = '/usr/bin';
135
136Set the buffer size to something small, so that we see data quickly
137
138        # Receive buffer size for nfcapd - see man page nfcapd(1)
139        $BUFFLEN = 2000;
140
141Find the %sources definition, and change it to:
142
143   %sources=(
144   'rtrX'=>{'port'=>'9996','col'=>'#ff0000','type'=>'netflow'},
145     'gw'=>{'port'=>'9009','col'=>'#0000ff','type'=>'netflow'},
146   );                             
147
148Now save and exit from the file.
149
150
1513. Create the netflow user on the system
152
153   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow
154
155
1564. Initiate NfSen. Any time you make changes to nfsen.conf you will
157   have to do this step again.
158
159Make sure we are in the right location:
160
161   # cd /usr/local/src/nfsen-1.3.5
162
163Now, finally, we install:
164
165   # perl install.pl etc/nfsen.conf
166
167Start NfSen
168
169cd /var/nfsen/bin
170./nfsen start
171
172
1735. View flows via the web:
174
175   This should not be necessary, but just in case:
176
177   # apt-get install php5
178   
179You can find the nfsen output here:
180
181   http://pcN.ws.nsrc.org/nfsen/nfsen.php
182
183(Below is only if there are problems)
184
185Note that in /usr/local/src/nfsen-1.3.5/etc/nfsen.conf there is a variable
186$HTMLDIR that you may need to configure. By default it is set like this:
187
188   $HTMLDIR="/var/www/nfsen/";
189
190In some cases you may need to either move the nfsen directory in your web
191structure, or update the $HTMLDIR variable for your installation.
192
193If you move items, then do:
194
195   # /etc/init.d/apache2 restart
196
197
1986. Verify that flows are arriving
199
200Assuming that you are exporting flows from a router, or routers, to
201your collector box on port 9009 you can check for arriving data using
202tcpdump:
203
204   # tcpdump -v udp port 9009
205   # tcpdump -v udp port 9996
206
207OPTIONAL
208
209
2107. Installing the PortTracker plugin (Optional or as reference)
211
212# apt-get install bison flex
213# cd /usr/local/src
214# wget http://noc.ws.nsrc.org/downloads/nfdump-1.6.3p1.tar.gz
215# tar xvzf nfdump-1.6.3p1.tar.gz
216# cd nfdump-1.6.3p1
217# ./configure
218# make
219
220
221
222- Go the PortTracker directory in the nfsen source distribution:
223
224   # cd /usr/local/src/nfsen-1.3.5/contrib/PortTracker
225
226   # vi do_compile
227
228      # path of nfdump sources
229      NFDUMP="/usr/local/src/nfdump-1.6.3p1"
230
231      # path of rrd include file rrd.h
232      RRDINCLUDE=/usr/include
233
234      # path of rrd library
235      LIBRRD=/usr/lib
236
237- Compile nftrack:
238
239   # ./do_compile
240
241...
242
243   # cp nftrack /usr/local/bin/
244
245- Make a directory for the nftrack data
246
247   # mkdir -p /var/log/netflow/porttracker
248   # chown www-data /var/log/netflow/porttracker
249
250- Set the nftrack data directory in the PortTracker.pm module:
251
252   # vi PortTracker.pm
253
254    Find the line:
255
256                my $PORTSDBDIR = "/data/ports-db";
257
258        and change it to:
259
260        my $PORTSDBDIR = "/var/log/netflow/porttracker";
261
262    ...
263
264- Install the plugins into the NFSen distribution
265
266   # cp PortTracker.pm /var/nfsen/plugins/
267   # cp PortTracker.php /var/www/nfsen/plugins/
268
269- Add the plugin definition to the nfsen.conf configuration
270
271   # cd /usr/local/src/nfsen-1.3.5
272   # vi etc/nfsen.conf
273
274    Find the plugins section and make it look like this:
275
276       @plugins = (
277           [ 'live',   'PortTracker'],
278       );
279
280    ...
281
282- Re-run the installation (answer questions)
283
284   # perl install.pl etc/nfsen.conf
285
286- Initialize portracker database files
287
288   # sudo -u www-data nftrack -I -d /var/log/netflow/porttracker
289
290    (This can take a LONG time! - 8 GB worth of files will be created)
291
292- Set the permissions so the netflow user running nfsen, and the www-data
293  user running the Web interface, can access the porttracker data:
294
295   # chown -R netflow:www-data /var/log/netflow/porttracker
296   # chmod -R 775 /var/log/netflow/porttracker
297
298- Reload:
299
300   # /var/nfsen/bin/nfsen reload
301
302- Check for success:
303
304   # grep -i 'porttracker.*success' /var/log/syslog
305Nov 27 02:46:13 noc nfsen[17312]: Loading plugin 'PortTracker': Success
306Nov 27 02:46:13 noc nfsen[17312]: Initializing plugin 'PortTracker': Success
307
308- Wait some minutes, and go the the nfsen GUI
309
310    http://pcN.ws.nsrc.org/nfsen/nfsen.php
311
312... and select the Plugins tab.
313
314
3158. If you wanted to add more sources...
316
317Go back to where you extracted your nfsen distribution.
318
319   # cd /usr/local/src/nfsen-1.3.5
320   # vi etc/nfsen.conf
321
322Update your sources for new items that you migh have.
323(Sample only!)
324
325        %sources = (
326        'rtr' => {'port' => '9000', 'col' => 'e4e4e4' },
327        'rtr2' => { 'port' => '9001', 'col' => '#0000ff' },
328        'rtr3' => { 'port' => '9002','col' => '#00cc00' },
329        'rtr4' => { 'port' => '9003','col' => '#000000' },
330        'rtr5' => { 'port' => '9004','col' => '#ff0000' },
331        'rtr6' => { 'port' => '9005','col' => '#ffff00' },
332        );
333
334Save and exit from the nfsend.conf file.
335
336Remember, you've updated nfsen.conf so you must re-run the install
337script:
338
339   # perl install.pl etc/nfsen.conf
340
341Now start and stop nfsen:
342
343   # /var/nfsen/bin/nfsen stop
344   # /var/nfsen/bin/nfsen start
345
346You can add the nfsen startup script to /etc/init.d/rc.local
347or somewhere similar to start it at bootup.)
348
349