This package allows you to view netflow statistics and generate some interesting graphs.
1) Install apache22 with all the defaults:
cd /usr/ports/www/apache22
make -DBATCH install
To run apache www server from startup, add apache22_enable="YES"
in your /etc/rc.conf. Extra options can be found in startup script .
Startup and shut can also be done:
/usr/local/sbin/apachectl [start|stop]
Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.
All the publicly accessible files are located in
/usr/local/www/apache22/data
2) Install PHP with the apache module
cd /usr/ports/lang/php5
make config (and turn on the "Build Apache module option")
make install
Now make/check the following options in the apache configuration file (/usr/local/etc/apache22/httpd.conf):
a) The following option is automatically inserted if you install PHP after apache
LoadModule php5_module libexec/apache22/libphp5.so
b) Make sure index.php is part of your DirectoryIndex.
DirectoryIndex index.html index.php
c) You should add the following to your Apache configuration file:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
d) You need to set the timezone for php. Create the file /usr/local/etc/php.ini and add the following
[PHP]
date.timezone = Australia/Sydney
Other timezones can be found here: http://nl3.php.net/manual/en/timezones.php
3) Install nfsen
cd /usr/ports/net-mgmt/nfsen
make install
This will drop a base set of web files in /usr/local/www/nfsen. Create a symlink so you can get to them:
cd /usr/local/www/apache22/data
ln -s /usr/local/www/nfsen nfsen
Restart apache to pick up this symbolic link. Start nfsen:
/usr/local/bin/nfsen start
Then visit http://<ip address>/nfsen/nfsen.php and you will get the following page
Add the following to /usr/local/etc/nfsen.conf
%sources = (
'rtr01' => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
);
Note: rtr01 needs to be resolvable to the ip address of the netflow source device
Then run
/usr/local/bin/nfsen stop
/usr/local/bin/nfsen reconfig
/usr/local/bin/nfsen start
When you visit the webpage again you should get:
4) Configure your source
In my case its a Cisco Router running c1841-adventerprisek9-mz.150-1.M4.3.bin
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.0(1)M4.3, MAINTENANCE INTERIM SOFTWARE
On the interface(s) you want to monitor add the ip flow ingress command. Generally you should do this for all enabled interfaces.
interface FastEthernet0/0
description Uplink
ip flow ingress
!
interface FastEthernet0/1
description Downlink
ip flow ingress
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination <<ip address of NfSen server>> <<port as configured in nfsen.conf = 2055>>
Confirm its all working using:
show ip cache flow
IP packet size distribution (1216M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .444 .160 .025 .013 .019 .038 .016 .006 .004 .001 .004 .005 .007 .001
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.005 .000 .001 .041 .200 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
280 active, 3816 inactive, 158979266 added
1941309328 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
280 active, 744 inactive, 158979207 added, 158979207 added to flow
0 alloc failures, 0 force free
1 chunk, 7808 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 21 0.0 5 104 0.0 3.7 10.2
TCP-FTP 722 0.0 19 74 0.0 5.4 2.5
TCP-WWW 776375 0.1 18 800 3.3 1.8 8.6
TCP-SMTP 384158 0.0 7 140 0.6 0.0 5.7
TCP-other 78760020 18.3 11 476 210.7 1.4 3.2
UDP-DNS 15334661 3.5 1 78 5.3 0.2 15.4
UDP-NTP 1995576 0.4 1 55 0.7 1.0 15.4
UDP-other 27839025 6.4 7 153 49.7 2.6 15.3
ICMP 33748168 7.8 1 81 12.4 0.9 15.4
IP-other 140260 0.0 7 81 0.2 59.6 0.9
Total: 158978986 37.0 7 396 283.3 1.4 9.3
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 10.48.2.151 Fa0/0 10.48.8.74 11 973E 00A1 19
Fa0/0 10.48.4.72 Fa0/1 10.48.2.151 11 00A1 8B6B 1
Fa0/1 10.48.2.151 Fa0/0 10.48.3.88 11 8810 00A1 6
Fa0/0 10.48.3.88 Fa0/1 10.48.2.151 11 00A1 8810 4
You can read this post to see how to neflow and nfsen interact and provide the stats that you can use.
4) Create a profile
Follow the steps here to create a new continuous profile so that you can detect and colour the traffic. There is a bug in v1.3.5 which lets you modify an existing profile with new traffic types or sources but does not update the graphs. The only work around is to delete this profile and re-create it.
The easiest way around this I've found is to delete the profile and create is via the command line as follows:
nfsen --add-profile MYPROF tstart="2012-02-03-11-50" (Start date from where you want to regenerate the graphs)
nfsen --add-channel MYPROF/ntp filter='port 123' colour='#FF6530'
nfsen --add-channel MYPROF/ssh filter='port 22' colour='#FFBE20'
nfsen --add-channel MYPROF/http filter='port 80' colour='#FFFF40'
nfsen --add-channel MYPROF/https filter='port 443' colour='#C9FF70'
nfsen --add-channel MYPROF/xmlrpc filter='port 8080' colour='#4FFF10'
nfsen --add-channel MYPROF/dca filter='port 8090' colour='#BFFFFF'
nfsen --add-channel MYPROF/dns filter='port 53' colour='#305FFF'
nfsen --add-channel MYPROF/icmp filter='proto icmp' colour='#FFC7FF'
nfsen --add-channel MYPROF/snmp filter='port 123' colour='#FF6887'
nfsen --commit-profile MYPROF
Use the command below to get a list of all the options available:
/usr/local/bin/nfsen --help
5) Supporting Cisco ASAs
This configuration cannot support ASAs because they have a special netflow format. See this for what is required to implement ASA support. A quick writeup of NSEL can be found here.
Basically you need to install nfdump-1.5.8-2-NSEL. Download the latest version of nfdump NSEL from here. Install this last because performing the initial install (step 3) from ports allows all the dependencies to be easily installed.
Build and install this as follows:
tar -xvzf nfdump-1.5.8-2-NSEL.tar.gz
cd nfdump-1.5.8-2-NSEL
ln -s /usr/local/lib/librrd.so /usr/lib/librrd.so
ln -s /usr/local/include/rrd.h /usr/include/rrd.h
./configure --enable-nfprofile
make
./make install
Check that this version has been installed:
nfdump -V
nfdump: Version: 1.5.8-2-NSEL $LastChangedDate: 2011-12-30 15:43:40 +0100 (Fri, 30 Dec 2011) $
$Id: nfdump.c 72 2011-12-30 14:47:39Z peter $
Edit /usr/local/etc/nfsen.conf and add the ASA as a source:
%sources = (
'rtr01' => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
'fw03' => { 'port' => '2056', 'col' => '#00ff00', 'type' => 'netflow' },
);
Configure the ASA as follows:
flow-export destination <Interface> <netflow server ip> <port as defined in nfsen.conf = 2056>
flow-export template timeout-rate 1
flow-export delay flow-create 60
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect snmp
class class-default
flow-export event-type all destination <netflow server ip>
Check the ASA is exporting the flows:
show flow-export counters
destination: CentralLAN 10.48.2.156 2056
Statistics:
packets sent 11334
Errors:
block allocation failure 0
invalid interface 0
template send failure 0
6) Installing NSELTracker Plugin (not working yet)
NSELTracker plugin reads the events from the capture files and build a hash table to maintain the following statistics:
- Completed flows --> Flows that have both create and teardown events observed
- Open flows --> Flows that have only flow creation events observed with in the collection time interval
- Denied flows --> Flows that are denied by ASA
Statistics regarding denied flows are maintained per protocol (TCP, UDP and ICMP) for various denial reasons. Flows could be denied due to
Extended code 1001 -> Denied by ingress ACL
Extended code 1002 -> Denied by egress ACL
Extended code 1003 -> The device denied an attempt to connect to the interface service
Extended code 1004 -> Denied since first packet on TCP Flow was not a TCP SYN packet
Create a location to store the RRD data
mkdir /usr/local/var/nfsen/nselD
chown www:www /usr/local/var/nfsen/nselD
Install the NSELTracker processing engine
cd ~/nfdump-1.5.8-2-NSEL/NSELTracker/
cp nseld /usr/local/bin/nselD
chown root:www /usr/local/bin/nselD
Initialize the RRD Data Store
/usr/local/bin/nselD -I -d /usr/local/var/nfsen/nselD
Install the plugins
#Front end plugin
cp NSELTracker.php /usr/local/www/nfsen/plugins
#Back end plugin
cp NSELTracker.pm /usr/local/libexec/nfsen/plugins
#Modify the backend plugin to point to the RRD data directory and fix code bugs
vi /usr/local/libexec/nfsen/plugins/NSELTracker.pm
# On line 27 Change $PORTSDBDIR from "/data/nfsen/nsel" to "/usr/local/var/nfsen/nselD"
my $PORTSDBDIR = "/usr/local/var/nfsen/nselD";
# On line 427 removed the extra " marked in red below
my $pid = open(NSELD, ""$NfConf::PREFIX/nseld $args 2>&1|");
# On line 482 remove the reference to "/data/nfsen/nsel/" and replace with $PORTSDBDIR
my $command = "$nselD -M $netflow_sources -r nfcapd.$timeslot -d $PORTSDBDIR -A -t $timeslot -l 1 -s 1 -w $PORTSDBDIR/nsel_stat.txt";
Add the plugin for profile 'live'
vi /usr/local/etc/nfsen.conf
## Change @plugins to
@plugins = (
# profile # module
[ 'live', 'NSELTracker'],
);
Start nfsen (or reload it)
/usr/local/bin/nfsen reload
When you vistit the plugins page on nfsen you then see:
However for some reason I cannot get this to populate any data at the moment! If you have any ideas please drop me a line.
UPDATE: it looks the latest version of nfdump (>=1.6.9) now include NSEL (http://sourceforge.net/p/nfdump/news/)
ReplyDeleteNSELTracker
ReplyDeleteError reading time stamp info