Installing nfsen

Installing a fprobe/nfsen configuration on CentOS 4

Configure your network:

For this to work you need a smart switch that can mirror/clone traffic from one port to another, a computer to act as the flow generator, and a computer to act as the nfsen station.

In practice this means you will be mirroring the traffic you are interested in to a port to be connected to the monitoring station. I like to dedicate an interface on the monitoring station for this purpose; depending on your switch this might be mandatory as some switches will not let a system transmit through a switch set to "monitoring/mirroring" mode. (Note that 3Com used to call this mode "RMON Roving Port Analysis". Maybe they still do.)

Usually when doing pilots, the flow generating computer is the same as the nfsen computer.

Note that if your firewall/router is suitably advanced, you may be able to generate netflows internally from the device and therefore skip the fprobe steps completely.

This is all left as an exercise for the reader.

Download:

For the purposes of this example I am using:

• fprobe 1.1
• nfdump 1.5.8
• nfsen 1.3

These are available from rpmforge:

$ sudo yum install rrdtool rrdtool-devel perl-MailTools

You also need stuff like apache, perl, php, and the development tools, but all that stuff is available from base and/or update.

Install fprobe

I use my own .src.rpm. In practice you can just do it the straight forward way:

$ ./configure
$ sudo make install

Start running fprobe to generate netflows

Invocation:

# fprobe -fip -i device dest_ip:dest_port

Notes:

• dest_ip can be localhost if you are running this on the same computer.
• for best results, don't use the interface you are monitoring to send/receive the netflows (because their addition will skew the numbers slightly).
• You might be interested in -e and -q values depending on how busy your link is.

# fprobe -fip -i eth2 -e 120 -q 10240 10.16.5.45:999

Create a local user

nfsen wants to run as a local user, by default "netflow".

$ sudo useradd -G apache -d /var/lib/netflow netflow

I stick netflow stuff in /var for no good reason.

This local user must be a member of the group that the webserver runs as (on CentOS, it is apache).

Also, you have to make sure that the webserver's group has read-access to the nfsen tree; I usually do it like this:

$ sudo chown netflow:apache ~netflow
$ sudo chmod 750 ~netflow

Build and Install nfdump

$ ./configure --enable-nfprofile
$ make
$ sudo make install

Configure nfsen

I copy etc/nfsen-dist.conf to etc/nfsen.conf and then edit the copy.

Lines I change:

• $BASEDIR (I change it to live in /var/lib/netflow/nfsen-1.3 so that if I ever have multiple versions I can keep them separate)
• $WWWUSER/$WWWGROUP (change both to apache)
• %sources (remove the two samples, add your flow(s)); example to match the fprobe example above:

  %sources = ( 'ns25-lan'    => { 'port'    => '999', 'col' => '#0000ff', 'type' => 'netflow' }, );

$ sudo install.pl etc/nfsen.conf

Start nfsen:

$ sudo nfsen-1.3/bin/nfsen start

Configure http to look at nfsen:

This is an example /etc/httpd/conf.d/nfsen.conf

Alias /nfsen /var/www/nfsen
<Directory /var/www/nfsen/>
    DirectoryIndex nfsen.php
    Options -Indexes
    AllowOverride all
    order allow,deny
    allow from all
    AuthType Basic
    AuthUserFile /etc/httpd/conf/htpasswd.nfsen
    AuthName "Access"
    require valid-user
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc on
    php_flag track_vars on
</Directory>

Note if you use the Auth stuff above you need to create and populate your relevant password file too:

sudo htpasswd -c /etc/httpd/conf/htpasswd.nfsen admin
New password:
Re-type new password:

...and restart httpd so that the change takes effect:

$ sudo /usr/sbin/service httpd restart

Make it all reasonably available

You'll want to ensure that the following things start on boot:

• fprobe
• nfsen
• httpd

Point your browser at the system where you installed nfsen and start playing.

If you get ugly messages about not being able to initialize globals (among other problems) then you almost certainly skipped the directory ownership/permissions step above.

A Brief Word About VLANs

If you are using VLANs on the wire you are sniffing, it depends on the switch type as to whether or not you need to get fancy. When I was hooked up to a 3Com 4900, a single fprobe instance attached to the interface read all VLANs correctly; when the 4900 was replaced by a Dell 3548, the single fprobe instance only read the outbound traffic and didn't read any of the inbound traffic. I had to create un-addressed interfaces for each VLAN and then run a separate fprobe instance for each interface (with an associated separate probe on the nfsen collector too).

eg:

vconfig add eth2 2024
ifconfig eth2.2024 up
fprobe -f"ip" -i eth2.2024 -e 120 -q 10240 172.30.0.159:997
vconfig add eth2 2045
ifconfig eth2.2045 up
fprobe -f"ip" -i eth2.2045 -e 120 -q 10240 172.30.0.159:996