Building CentOS 7 NetFlows Monitoring station with nfsen and nfdump

In this article we will look into setting up NetFlows monitoring station with open source tools. It is extremely important to keep track of what is happening on your network, who are the highest talkers and which users or programs accessing which resources. In our LAB example we will have Cisco Router on which we will be exporting netflows and Linux based server on which we will run a tool called softflowd. Softflowd is open source tool capable of generating netflows. Nfsen is an open source tool and more information on this tool can be found at http://nfsen.sourceforge.net/#mozTocId467189.

 

General Preparation

#yum update -y    # update system and packages.

#vi /etc/selinux/config   #change directive SELINUX=disabled

We will need to install a number of packages for CentOS 7

#yum install -y httpd php wget gcc make rrdtool-devel rrdtool-perl perl-MailTools perl-Socket6 flex byacc

yum install perl-Sys-Syslog

yum install perl-Data-Dumperu

Create user account and add it to proper group

#useradd netflow
#usermod -a -G apache netflow

Create directories which we will specify later in configuration file

#mkdir -p /data/nfsen
#mkdir -p /var/www/html/nfsen

Now we will download latest nfdump and nfsen packages at this time nfdump-1.6.13.tar.gz and nfsen-1.3.6p1.tar.gz

#cd /opt
#wget http://downloads.sourceforge.net/project/nfdump/stable/nfdump-1.6.13/nfdump-1.6.13.tar.gz
#wget http://downloads.sourceforge.net/project/nfsen/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz

Configure iptables

In this tutorial we will disable original firewall that comes with CentOS 7 and install old good iptables.

#systemctl mask firewalld
#systemctl stop firewalld
#yum -y install iptables-services
#systemctl enable iptables
#systemctl start iptables
#iptables -I INPUT -p tcp –dport 80 -j ACCEPT
#iptables -I INPUT -s "destination ip" -p udp --dport 9666 -j ACCEPT

also add any additional ports that you need open

Start httpd service

#service httpd start

Install nfdump

 

Untar downloaded nfdump package

/opt#tar -zxvf nfdump-1.6.13.tar.gz

/opt#cd nfdump-1.6.13

Compile nfdump

/opt/nfdump-1.6.13#./configure --enable-nfprofile --enable-nftrack --enable-sflow

/opt/nfdump-1.6.13#make && sudo make install

Install and configure nfsen

Untar nfsen

/opt/#tar -zxvf nfsen-1.3.6p1.tar.gzls
/opt/#cd nfsen-1.3.6p1

Copy nfsen example configuration file to etc directory

/opt/nfsen-1.3.6p1/cp etc/nfsen-dist.conf /opt/nfsen-1.3.6p1/etc/nfsen.conf

Now we need to edit this configuration file to make sure all variables are set correctly

#vi /etc/nfsen.conf

Make sure all data path variables are set correctly

$BASEDIR= "/data/nfsen";

$HTMLDIR = "/var/www/nfsen";

For CentOS based systems change

$WWWUSER  = "www";   change to apache
$WWWGROUP = "www"; change to apache
$WWWUSER  = "apache";
$WWWGROUP = "apache";

We will now run perl installation script to install nfsen


/opt/nfsen-1.3.6p1/#./install.pl etc/nfsen.conf

Press enter to accept default path. You may get Errors since we did not configure any flows at this point.

Lets now create a startup script for the service

#vi /etc/init.d/nfsen

#!/bin/bash
#
# chkconfig: - 50 50
# description: nfsen

DAEMON=/data/nfsen/bin/nfsen

case "$1" in
start)
$DAEMON start
;;
stop)
$DAEMON stop
;;
status)
$DAEMON status
;;
restart)
$DAEMON stop
sleep 1
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
;;
esac

exit 0

 

make sure the script is executable

#chmod +x /etc/init.d/nfsen

Start nfsen deamon

#/etc/init.d/./nfsen start

At this point you should be able to access nfsen at http://127.0.0.1/nfsen/nfsen.php

 

 

Configuration of Cisco router to export netflows

This is very basic example showing how to export netflows on Cisco 870 series Router.

On the Cisco router

conf#int fa04
ip route-cache flow
show ip cache flow
clear ip flow stats
ip flow-export destination 92.168.2.47 2055

On nfsen system edit /etc/nfsen.conf file and make sure sources entry exists

%sources = (
'CiscoRouter'    => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
);

#data/nfsen/bin/nfsen reconfig
#/etc/init.d/nfsen restart


Softflowd configuration on Linux server

This is basic example of how to setup netflows on Linux based server

On Linux server:

yum install libtool automake autoconf python-devel
yum install libpcap-devel
wget http://softflowd.googlecode.com/files/softflowd-0.9.9.tar.gz
tar -zxvf softflowd-0.9.9.tar.gz
./configure
make
make install
#softflowd -i eth0 -n 192.168.2.47:9666

You may also add this line at the end of /etc/rc.d/rc.local file to make sure it will be started as system starts.

make sure that the software is actually working, check the softflow statistics after softflowd has been running for a few moments.

#softflowctl statistics

 
On nfsen workstation:

Add the followinf to /etc/nfsen.conf

%sources = (

'CiscoRouter'    => { 'port' => '2055', 'col' => '#0000ff', 'type' => 'netflow' },
'LinuxServer'    => { 'port' => '9666', 'col' => #088A08', 'type' => 'netflow' },
);
data/nfsen/bin/nfsen reconfig
/etc/init.d/nfsen restart

 

Troubleshooting

1. Install tcpdump and verify that flows are being send on specified port.

#yum install tcpdump

#tcpdump -i eth0 port 9666

Make sure that you see traffic on this port from required host.

2. With nfdump you can read flow collection files from command line

cd /data/nfsen/profiles-data/live/LinuxServer/2014/12/13

nfdump -r  "your file name"

3. Make sure is that your system data and php date set correctly. You may need to edit /etc/php.ini and adjust your date.timezone = "US/Eastern"

4. When you first visit your nfsen website you get error message Frontend – Backend version mismatch! You get this message the first time you connect because your browser doesn’t use the correct cookie/session id. After you navigate to a new page you get a cookie. This error can safely be ignored.

5. Make sure remote system, the one generating netflows has correct timezone and time set.

6. Troubleshoot nfcapd

First check running fcapd processes

#ps axo command | grep '[n]fcapd'

Check which ports nfcapd is listenoing on

#lsof -Pni | grep nfcapd

To test if nfcapd receiving data

#pidof nfcapd
"port num"
#strace -p "port num"

7. If you suspect there is a problem with nfcapd you can try runing it on Linux Server, You will need to install nfdump first.

#softflowd -i eth2 -n 127.0.0.1:9997

#mkdir test
#nfcapd -w -D -l test -p 9997