Setting up a Linux box to be both a netflow sensor and collector

Notes on Setting up a Linux box to be both a netflow sensor and collector.

We wanted to set up a computer to act as a netflow sensor, the piece that collects the flow data and exports it, and also as the collector, the piece that accepts the flow data from the sensor and stores and will sometimes also analyse it.
One way to do this is to mirror a switch port you want the netflow data collected for to the computer, and use softflowd as the sensor and nfsen as the collector.

We choose to do this with Linux. We used Slackware 13.0 . Any Linux should work. I bet any *nix would work as well, though I did not look into that at all. The first step was to just get Linux installed and up and running as we wanted it.

Once Linux was installed and setup, we then grabbed some pre-requesites to use nfsen. The first was the MailTools perl modules from CPAN. We did this:

wget http://search.cpan.org/CPAN/authors/id/M/MA/MARKOV/MailTools-2.04.tar.gz
tar -xvzf MailTools-2.04.tar.gz
cd MailTools-2.04
perl Makefile.PL
make
make install

Of course, all the "make install" commands (and some others) in this document need to be run as the user "root".

RRDtool is also needed as a prerequisite. So we did this:

wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.3.9.tar.gz
tar -xvzf rrdtool-1.4.2.tar.gz
cd rrdtool-1.4.2
./configure
make
make install

NOTE!: We had trouble getting newer 1.4.x versions of the RRDTool working with nfsen, so we had to stick with the slightly older 1.3.x line. We used 1.3.9. YMMV, but I recommend 1.3.9. (as of 2009-11-25).

nfsen uses the nfdump package, we did that next.

wget http://downloads.sourceforge.net/project/nfdump/stable/nfdump-1.5.8/nfdump-1.5.8.tar.gz?use_mirror=ignum
tar -xvzf nfdump-1.5.8.tar.gz
cd nfdump-1.5.8
./configure --enable-nfprofile --with-rrdpath=/usr/local/rrdtool-1.3.9/
make
make install

Now we can actually install nfsen. We did this:

wget http://downloads.sourceforge.net/project/nfsen/stable/nfsen-1.3.2/nfsen-1.3.2.tar.gz?use_mirror=ignum
tar -xvzf nfsen-1.3.2.tar.gz
cd nfsen-1.3.2
cp etc/nfsen-dist.conf etc/nfsen.conf

We then had to edit the etc/nfsen.conf file (we used vi). What we changed was the $USER variable to apache and both the $WWWUSER and $WWWGROUP variables to apache. Then we changed the "sources" section to be setup to accept the data from the localhost. We used the ports from the examples already in the config file. Ours looked like this:

%sources = (
    'localhost'    => { 'port'    => '9995', 'col' => '#0000ff', 'type' => 'netf
low' },
);

We first tried '127.0.0.1' but apparently it only accepts host names there not IP addresses.
We copied that etc/nfsen.conf in the nfsen-1.3.2 folder into /etc as well:

cp etc/nfsen.conf /etc

Then we created the data directory:

mkdir /data/
mkdir /data/nfsen
chown apache -R /data

We had some troubles getting nfsen to compile and install until we did this from inside the same directory we "cd"ed to above (nfsen-1.3.2):

cp -R /usr/local/rrdtool-1.3.9/lib/perl/5.10.0/i486-linux-thread-multi/* ./libexec/

until we did that, we were getting this error message:

Can't locate RRDs.pm in @INC

Once we got all those details sorted out, we were able to run:

./install.pl etc/nfsen.conf

and nfsen installed for us. There is some more nfsen setup below. But first...

Now we can install the sensor daemon, softflowd.

wget http://www.mindrot.org/files/softflowd/softflowd-0.9.8.tar.gz
cd softflowd-0.9.8
./configure
make
make install

Now that softflowd is installed, we can set it to automatically start. On Slackware 13.0, with BSD style init (start up) scripts, we added this to the /etc/rc.d/rc.local file:

/usr/local/bin/softflowd -i eth1 -n 127.0.0.1:9995

We were using eth1, alter the interface to your situation. It may well be eth0 instead of eth1 for you. (or something else).
Then you can run that line added to the rc.local file above as root from the command line in your shell, and it should start.
You can verify it is working by running:

softflowctl statistics

You should get outpt with "Number of active flows" and such.
If you are using a *nix with SystemV init scripts instead of the good^H^H^H^H BSD style init scripts, then exactly how to set softflowd to startup may be different. Most likely something along the lines of going to /etc/init.d and making a script there that starts softflowd in a manner like above, perhaps accepting "start" and "stop" and "restart" as parameters (and doing appropriate things with them), and then going to /etc/rc.d/rc3.d and making a sym link (ln -s) to that script from there called something like S98softflowd. Or something along those lines maybe. Not going into those details more than that here. Or, you may well still have an /etc/rc.d/rc.local you can throw that line in even on a systemV init script system.

We can also now start nfsen and set nfsen to automatically start. We did

cd /etc/rc.d
ln -s /data/nfsen/bin/nfsen rc.nfsen

Then we edited rc.local and added:

/etc/rc.d/rc.nfsen start

After that, you can just run that same line added to rc.local from the command line as root in your shell to start nfsen.

Depending on what all you changed in the nfsen.conf file, you may need to do this:

cd /var/www/htdocs
ln -s ../nfsen

(the default location in the nfsen.conf is outside of the default document root in the default apache install on slack13).

The default apache install on slackware13 doesn't have PHP enabled, so we had to enable that in order to use nfsen. To do that, edit /etc/httpd/httpd.conf and uncommend the line:

Include /etc/httpd/mod_php.conf

then restart your web server using your favorite method of doing that (or reboot if you don't know any). :)

To access it, connect to

http://your.computer.here/nfsen/nfsen.php

Substitute the name (or IP) of your computer in place of "your.computer.here".

Earlier in this document we refer to mirroring the switch port you want to collect netflow data for to this computer. Exactly how to do that , or even if you can, varies from switch to switch. In our case we were using a Cisco 3750, so we telnetted into it and did:

enable
monitor session 1 source int g1/0/x
monitor session 1 dest int g1/0/x

if you're doing other port mirroring, make sure you use a the proper session number. Also adjust the interfaces to the appropriate ones for your situation. In that same switch, to undo all port mirroring, you can do:

no monitor session all

Just fyi. spp 2009-11-25