1 Monitoring Netflow with NFsen - Network Monitoring and Management

2 Introduction

2.1 Goals

2.2 Notes

3 Configure Your Collector

3.1 Install NFDump and associated software

Check whether nfdump is already installed:

nfdump -V

if it shows a banner with the nfdump version, skip to the next section ("Testing nfcapd and nfdump")

NFdump is part of the Netflow flow collector tools, which includes:

nfcapd, nfdump, nfreplay, nfexpire, nftest, nfgen

There is a package in Ubuntu, but it's too old - so we're going to build it from source. First, check you have the build tools and dependencies:

$ sudo apt-get update
$ sudo apt-get install build-essential autoconf
$ sudo apt-get install rrdtool mrtg librrds-perl librrdp-perl librrd-dev \
       libmailtools-perl php5 bison flex libsocket6-perl

Now proceed to download and build. Note that only the last step (make install) has to be done as root.

$ cd
$ wget http://www.ws.nsrc.org/downloads/nfdump-1.6.13.tar.gz
$ tar xvzf nfdump-1.6.13.tar.gz
$ cd nfdump-1.6.13
$ ./configure --help      # optional, shows the build settings available
$ ./configure --enable-nfprofile --enable-nftrack
$ make
$ sudo make install

3.1.1 Testing nfcapd and nfdump

$ mkdir /tmp/nfcap-test
$ nfcapd -E  -p 9001 -l /tmp/nfcap-test

... after a while, a series of flows should be dumped on your screen.

Stop the tool with CTRL+C, then look at the contents of /tmp/nfcap-test

$ ls -l /tmp/nfcap-test

You should see one or more files called nfcapd.<YEAR><MON><DAY><HR><MIN>

Process the file(s) with nfdump:

nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz | less
nfdump -r /tmp/nfcap-test/nfcapd.201Ywwxxyyzz -s srcip/bytes

You should get some useful information :)

3.2 Installing and setting up NfSen

Check whether nfsen is already installed on your system:

/var/nfsen/bin/nfsen --version

If it shows a banner with the version number then skip all the way down to "Add the first source"

Download and compile.

$ cd
$ wget http://www.ws.nsrc.org/downloads/nfsen-1.3.6p1.tar.gz
$ tar xvzf nfsen-1.3.6p1.tar.gz

Now you have to make a change to a file to work with ubuntu 16.04:

$ cd
$ cd nfsen-1.3.6p1
$ editor libexec/NfSenRRD.pm

Find the following line (it's around line 75)

        if ( $rrd_version >= 1.2 && $rrd_version < 1.5 ) {

and change the 1.5 to 1.6, so it looks like this:

        if ( $rrd_version >= 1.2 && $rrd_version < 1.6 ) {

Next step is to create an initial config file and edit it.

$ cd
$ cd nfsen-1.3.6p1/etc
$ cp nfsen-dist.conf nfsen.conf
$ editor nfsen.conf

Set the $BASEDIR variable

$BASEDIR = "/var/nfsen";

Set the users appropriately so that Apache can access files:

$WWWUSER = 'www-data';
$WWWGROUP = 'www-data';

Set the buffer size to something small, so that we see data quickly. You would not do this on a production system.

# Receive buffer size for nfcapd - see man page nfcapd(1)
$BUFFLEN = 2000;

Find the %sources definition, and change it to:

%sources=(
'rtrX' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'},
 );

(substitute your group's router for rtrX, and either remove or comment out the existing sample sources).

Change the HTMLDIR from /var/www/nfsen/ to /var/www/html/nfsen/

$HTMLDIR    = "/var/www/html/nfsen/";

Now save and exit from the file.

3.3 Create the netflow user on the system

$ sudo useradd -d /var/nfsen -G www-data -m -s /bin/false netflow

3.4 Install NfSen and start it

Change directory back to just inside the source directory:

$ cd
$ cd nfsen-1.3.6p1

Now, finally, we install:

$ sudo perl install.pl etc/nfsen.conf

Press ENTER when prompted for the path to Perl.

3.5 Install init script

In order to have nfsen start and stop automatically when the system starts, add a link to the init.d diretory pointing to the nfsen startup script:

$ sudo ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen
$ sudo update-rc.d nfsen defaults 20

Start NfSen

$ sudo service nfsen start

Check that nfcapd processes have been started:

$ ps auxwww | grep nfcapd

Now skip to "Check web interface" below.

3.6 Add the first source

This section is for a lab where nfsen was already installed; you need to tell it which port to listen on.

As root, edit /var/nfsen/etc/nfsen.conf. Scroll down until you find the %sources section, and edit it so it looks like this:

%sources=(
'rtrX' => {'port'=>'9001','col'=>'#0000ff','type'=>'netflow'},
);

(substitute your group's router for rtrX. You can ignore any existing samples sources as long as they are commented out with '#')

Now tell nfsen to reconfigure itself: you will need to run this every time you modify /var/nfsen/etc/nfsen.conf:

# /etc/init.d/nfsen reconfig

You should see something like this:

New sources to configure : rtrX
Continue? [y/n] y

Add source 'rtrX'

Start/restart collector on port '9001' for (rtrX)[pid]

Restart nfsend:[pid]

If nfsen wasn't already running then you may need to start it:

# /etc/init.d/nfsen start
Starting nfcapd:(rtrX)[pid]
Starting nfsend.

4 Check web interface

You can find the nfsen page here:

http://pcX.ws.nsrc.org/nfsen/nfsen.php

You may see a message such as:

Frontend - Backend version mismatch!

This will go away if you reload the page, it's not a problem.

Done! Move on to the third lab, exercise3-nfsen-top-talkers

5 Notes

5.1 Multiple routers

If your real network has multiple routers which are sending flows to the same collector, you can configure them to send to different ports on the collector, and configure nfsen to listen on multiple ports with different names and colors for each router.

DON'T DO THIS NOW as you only have a single router, but if you needed to, you would do edit /var/nfsen/etc/nfsen.conf and add the source(s), for example:

%sources = (
    'rtrX'  => { 'port' => '9001', 'col' => '#0000ff', 'type' => 'netflow' },
    'rtrY'  => { 'port' => '9002', 'col' => '#00ff00', 'type' => 'netflow' },
    'gw'    => { 'port' => '9996', 'col' => '#ff0000', 'type' => 'netflow' },
);