Skip to main content

Install nfsen 1.3.6p1

(2016-12-02)

Problem

How do I get nfsen 1.3.6p1 running on Fedora Server 25?

Disclaimer

Works for me, your milage may vary, some cars not for use with some sets, if this doesn't work then the only thing I'll do for you is feel bad for you on a best-effort basis, yadda yadda…

Solution

Prerequisites:

# dnf groupinstall 'web server'
# dnf install nfdump libpcap-devel perl-Sys-Syslog rrdtool-perl.x86_64 perl-IPC-SysV perl-MailTools perl-Socket6.x86_64

Get, build and install ![>>](/web/20240222233858im_/https://wiki.xdroop.com/theme/images/Icon- Extlink.png)fprobe.

# ln -s /usr/bin/nfcapd /usr/local/bin
# ln -s `which nfdump` /usr/local/bin
# ln -s `which nfprofile` /usr/local/bin

Set up the user account for nfsen:

# sudo useradd -G apache -d /var/lib/netflow netflow
# sudo chown netflow:apache ~netflow
# sudo chmod 750 ~netflow

Set a timezone in /etc/php.ini, the line will look something like

date.timezone = 'America/New_York'

Configure httpd:

  • create the file /etc/httpd/conf.d/nfsen.conf:

    Alias /nfsen /var/www/nfsen <Directory /var/www/nfsen/> DirectoryIndex nfsen.php Options -Indexes AllowOverride all order allow,deny allow from all AuthType Basic AuthUserFile /etc/httpd/conf/htpasswd.nfsen AuthName "Access" require valid-user AddType application/x-httpd-php .php php_flag magic_quotes_gpc on php_flag track_vars on </Directory>

Create the htpasswd.nfsen file:

# htpasswd -c /etc/httpd/conf/htpasswd.nfsen nfsen

Get ![>>](/web/20240222233858im_/https://wiki.xdroop.com/theme/images/Icon- Extlink.png)nfsen.

Configure nfsen.conf:

  • $BASEDIR (I change it to live in /var/lib/netflow/nfsen-1.3 so that if I ever have multiple versions I can keep them separate)

  • $WWWUSER/$WWWGROUP (change both to apache )

  • %sources (remove the two samples, add your flow(s)); example to match the fprobe example above:

    %sources = ( 'ns25-lan'    => { 'port'    => '999', 'col' => '#0000ff', 'type' => 'netflow' }, );

Edit the nfsen-provided file libexec/NfSenRRD.pm :

  • on line 76, change the $rrd_version from 1.5 to 1.6

Install nfsen:

# install.pl <your-nfsen.conf-file>

Make nfsen start at boot time:

Create /etc/systemd/system/nfsen.service:

[Unit]
Description=NfSen Service
After=network.target

[Service]
Type=forking
PIDFile=/var/lib/netflow/nfsen-1.3/var/run/nfsend.pid
ExecStart=/var/lib/netflow/nfsen-1.3/bin/nfsen start
ExecStop=/var/lib/netflow/nfsen-1.3/bin/nfsen stop
Restart=on-abort

[Install]
WantedBy=multi-user.target

...and enable it:

# systemctl enable nfsen

Set httpd to start at boot time:

# systemctl enable httpd

Start httpd:

# service httpd start

Start nfsen:

# systemctl start nfsen

Note that for me it spits out a whole barf-load of perl warnings, but it still appears to work.

Start fprobe (making sure it is aimed at the right port):

# /usr/local/sbin/fprobe -fip -i eno1 -e 120 -q 10240 127.0.0.1:9999

...you should see something in 5 or 10 minutes.

More advanced

Create a /usr/local/sbin/start-fprobe script:

(Note: you may need to install vconfig if you are going to mess with vlans in this way!)

#!/bin/bash
# Note that destination ports have to match what is in ~netflow/nfsen/etc/nfsen.conf
INTER=ens224
HOME=nfsen3.gridwayit.local
ifup $INTER
vconfig add $INTER 57
ifconfig $INTER.57 up
/usr/local/sbin/fprobe -f"ip" -i $INTER.57 -e 120 -q 10240 $HOME:992
vconfig add $INTER 60
ifconfig $INTER.60 up
/usr/local/sbin/fprobe -f"ip" -i $INTER.60 -e 120 -q 10240 $HOME:991

...make it executable:

# chmod 744 /usr/local/sbin/start-fprobe

Create /etc/systemd/system/fprobe.service:

[Unit]
Description=fprobe
After=network-online.target
Wants=network-online.target

[Service]
Type=forking
ExecStart=/usr/local/sbin/start-fprobe

[Install]
WantedBy=multi-user.target

...and enable and start it:

# systemctl enable fprobe
# systemctl start fprobe

Problem:

Running fprobe-1.1, feeding nfsen 1.3.6 using nfdump 1.6.6 on CentOS-5. The data is being collected on a port-mirrored port from a HP-5412zl switch. The mirrored port is the LAN side of my firewall.

My issue is that nfsen is only showing traffic which flows in one direction (from the internet into my LAN). However if I do a tcpdump on the eth that fprobe is listening to, it sees all traffic (inbound and outbound).

Does anyone have any idea why my flows are not being collected in both directions?

Discussion

I saw this issue once before. (![>>](/web/20231204133033im_/https://wiki.xdroop.com/theme/images/Icon- Extlink.png)[Link](https://web.archive.org/web/20231204133033/http://wiki.xdroop.com/space/Dell/Power+Connect+3448/Port+Monito ring)) I had a 3Com 4900 which had a port with multiple VLANs sent to a port-mirror. Fprobe correctly collected all traffic in both directions from all VLANs involved. When that switch was replaced with a Dell 3448, I only saw a single direction (in that case, outbound-only) collected. I got around this issue by defining VLAN interfaces and attaching individual fprobe processes to each VLAN interface.

However in this case I'm not VLAN'd on this port at all. So I don't understand what is going wrong.

Update

(10 November 2012):

So I messed around with tcpdump some more to see what was going on and I had some interesting results.

If I did my tcpdump as so:

# tcpdump -ni eth1 dst net $NET and not src net $NET

… I got the inbound traffic that I expected. However, flipping the src and dst around, ie:

# tcpdump -ni eth1 src net $NET and not dst net $NET

...yielded nothing.

If, however, I specified VLAN tagging:

# tcpdump -ni eth1 vlan and src net $NET and not dst net $NET

… I got the outbound traffic.

So clearly something weird is happening either on my network card or my switch. I'm tempted to think the former, because when I had this plugged into a different computer, the fprobe collection worked. The port-mirror has been unchanged. (Unfortunately I can't go back in time and see what was different about the old computer since it physically died.)

The man page for fprobe suggests I should be able to say -f "ip or vlan" to collect both vlan and non-vlan traffic, but fprobe barfs on this.

(13 November 2012):

So I found out that since the fprobe only collects one way, I have to have two fprobe instances:

/usr/local/sbin/fprobe -fvlan -K18 -i eth1 -e 120 -q 10240 $TARGET:9999
/usr/local/sbin/fprobe -fip -i eth1 -e 120 -q 10240 $TARGET:9998

The first one collects traffic heading out of my network, and the second one collects traffic coming in. Note the -K18 parameter, without which the -fvlan fprobe won't collect anything (see the fprobe man page, EXAMPLES section).

I further refine this by creating a live nfsen profile that has appropriate src net and not dst net (etc) rules, and using that live profile as a basis for analysis.

Back to top