NETFLOW and NFSen EXAMPLE 
Track 1, PacNOG 6
Nadi, Fiji

Configure Your Router to Export Flows
-------------------------------------

1. Export flows from a router

This is a sample only. 

Our router is rw-gw, or 192.168.0.254 (classroom gateway)
Our admin user is "cisco"
Our admin password is "cisco"

Log in on the router:

   # ssh cisco@192.168.0.254
   nm-gw>enable

Enter the "cisco" password again

   nm-gw# configure terminal
   nm-gw(config)# interface FastEthernet 0/0
   nm-gw(config)# ip route-cache flow
   nm-gw(config)# exit

Repeat for FastExthernet 0/1 (and all interfaces you may have that
are configured)

   nm-gw# configure terminal
   nm-gw(config)# interface FastEthernet 0/1
   nm-gw(config)# ip route-cache flow
   nm-gw(config)# exit   

   nm-gw# ip flow-export destination 192.168.0.200 9996
   nm-gw# ip flow-export source FastEthernet 0/0
   nm-gw# ip flow-export source FastEthernet 0/1
   nm-gw# ip flow-export version 5
   nm-gw# ip flow-cache timeout active 5

This breaks up long-lived flows into 5-minute fragments. You can 
choose any number of minutes between 1 and 60. If you leave it at 
the default of 30 minutes your traffic reports will have spikes.

   nm-gw# snmp-server ifindex persist
   nm-gw# ^Z
   nm-gw# write mem

This enables ifIndex persistence globally. This ensures that the 
ifIndex values are persisted during router reboots.

Now we'll verify what we've done.

   nm-gw# show ip flow export
   nm-gw# show ip cache flow

See your "top talkers" across your router interfaces

   nm-gw# show ip flow top-talkers


Configure Your Collector
------------------------

1. Install NFdump
   NFdump is the Netflow flow collector

   We install several additional packages that we will need a bit 
   later:

   # apt-get install rrdtool
   # apt-get install mrtg
   # apt-get install nfdump

   This will install, among other things, nfcapd, nfdump, nfreplay, 
   nfexpire, nftest, nfgen

2. Install NfSen

   # cd /usr/local/src 
   # wget http://superb-west.dl.sourceforge.net/sourceforge/nfsen/nfsen-1.3.tar.gz
   # tar xvzf nfsen-1.3.tar.gz
   # cd nfsen-1.3
   # cd etc
   # cp nfsen-dist.conf nfsen.conf
   # vi nfsen-dist.conf

Set the $BASEDIR variable

   $BASEDIR="/var/nfsen";

Set the users:

   $USER = "netflow"

   $WWWUSER = 'www-data';

   $WWWGROUP = 'www-data'   

Add sources (where flows are coming from):
(Example for this workshop. Could be on a single line)

   %sources=(
   'gw-rtr'=>{'port'=>'9996','col'=>'#0000ff','type'=>'netflow'},
   );				   

Set the path for the $PREFIX variable where to find the nfdump tools:

   $PREFIX = '/usr/bin';

Set the buffer size to something small, so that we see data quickly

   $BUFFLEN = 2000;   

Now save and exit from the file.

3. Create the netflow user on the system

   # useradd -d /var/netflow -G www-data -m -s /bin/false netflow

4. Initiate NfSen. Any time you make changes to nfsen.conf you will 
   have to do this step again.

Make sure we are in the right location:

   # cd /usr/local/src/nfsen-1.3

Now, finally, we install:

   # perl install.pl etc/nfsen.conf

Start NfSen

cd /var/nfsen/bin
./nfsen start

5.) View flows via the web:

   # apt-get install php5
   
You can find the nfsen output here:

   http://localhost/nfsen/nfsen.php

Note that in /usr/local/etc/nfsen-1.3/etc/nfsen.conf there is a variable
$HTMLDIR that you may need to configure. By default it is set like this:

   $HTMLDIR="/var/www/nfsen/";

You may need to either move the nfsen directory in your web structure,
or update the $HTMLDIR variable for your installation.

If you move items, then do:

   # /etc/init.d/apache2 restart

6. Verify that flows are arriving

Assuming that you are exporting flows from a router, or routers, to 
your collector box on port 9996 you can check for arriving data using
tcpdump:

   # tcpdump -v udp port 9996


7. Extend your Netflow configuration

Go back to where you extracted your nfsen distribution.

   # cd /usr/local/src/nfsen-1.3
   # vi etc/nfsen.conf

Update your sources for new items that you migh have.
(Sample only!)

	%sources = (
	'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },
	'lan1gw' => { 'port' => '2201','col' => '#00cc00' },
	'lan3gw' => { 'port' => '2203','col' => '#000000' },
	'lan4gw' => { 'port' => '2204','col' => '#ff0000' },
	'nocgw' => { 'port' => '2206','col' => '#ffff00' },
	);

Save and exit from the nfsend.conf file.

Remember, you've updated nfsen.conf so you must re-run the install
script:

   # perl install.pl etc/nfsen.conf

Now start and stop nfsen:

   # /var/nfsen/bin/nfsen stop
   # /var/nfsen/bin/nfsen start

You can add the nfsen startup script to /etc/init.d/rc.local 
or somewhere similar to start it at bootup.)