Nfsen(http://nfsen.sourceforge.net/) is amazing project that supports various netflow collectors and it allows you to investigate the netflows to your imagination!
The installation procedure for nfsen is described below:
Dependent package installation using yum
——————————————————
The following rpms and perl modules are required for installation and I used yum to install them:
httpd
php
perl
gcc
make
rrdtool
rrdtool-devel
rrdtool-perl
perl-TimeDate
perl-MailTools
perl-Socket6
bison
flex
Make sure that SELinux is disabled.
vi /etc/selinux/config
set SELINUX=disabled
reboot
Start and enable httpd at boot
# service httpd start
# chkconfig httpd on
Install fprobe
——————
Download fprobe from SourceForge Site and install
# tar -xjvf fprobe-1.11.tar.bz2
# cd fprobe-1.11
# ./configure
# make
# make install
Now run fprobe using command – /usr/local/sbin/fprobe -i eth0 -f”ip” -n7 remote:port
e.g.
# /usr/local/sbin/fprobe -i eth0 -f”ip” -n7 127.0.0.1:9995
and make sure that the process is running using ‘ps aux’ command.
Nfdump installation
———————-
Download nfdump from SourceForge Site and install
# tar -zxvf nfdump-1.6.11.tar.gz
# cd nfdump-1.6.11
nfdump-1.6.11]# ./configure –enable-nfprofile –enable-nftrack –enable-nfpcapd
nfdump-1.6.11]# make
nfdump-1.6.11]# make install
### You can check whether nfcapd can collect network data or not using
# nfcapd -w -D -S 2 -B 1024000 -l /opt/nfcapd_test/ -p 9995
Nfsen installation
————————
Download nfsen from SourceForge Site and install
# tar -zxvf nfsen-1.3.6p1
# cd nfsen-1.3.6p1
# cp etc/nfsen-dist.conf etc/nfsen.conf
Make all the necessay changes in nfsen.conf. Just go through the README file of nfsen for installation and configuration instructions. These are really helpful.
Typical options in ‘nfsen.conf’ configuration file look like:
# Example Config file!
$BASEDIR = “/opt/nfsen”;
$BINDIR=”${BASEDIR}/bin”;
$LIBEXECDIR=”${BASEDIR}/libexec”;
$CONFDIR=”${BASEDIR}/etc”;
$HTMLDIR = “/var/www/nfsen/”;
$DOCDIR=”${HTMLDIR}/doc”;
$VARDIR=”${BASEDIR}/var”;
$PROFILESTATDIR=”${BASEDIR}/profiles-stat”;
$PROFILEDATADIR=”${BASEDIR}/profiles-data”;
$BACKEND_PLUGINDIR=”${BASEDIR}/plugins”;
$FRONTEND_PLUGINDIR=”${HTMLDIR}/plugins”;
$PREFIX = ‘/usr/local/bin’; $USER = “apache”;
$WWWUSER = “apache”;
$WWWGROUP = “apache”;
$EXTENSIONS = ‘all’;
$SUBDIRLAYOUT = 1;
$ZIPcollected = 1;
$ZIPprofiles = 1;
$PROFILERS = 2;
$DISKLIMIT = 98;
$PROFILERS = 6;
%sources = (
‘home’ => { ‘port’ => ‘9995’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’ },
);
When you install nfsen, it will automatically configure nfcapd program as a daemon.
So, there is no need to run nfcapd seperately as a daemon.
But, yes, if you would like to test it with tools like fprobe/softflowd, you can make use of nfcapd
program as a standalone and capture the flows from softflowd/fprobe.
nfcapd -w -D -S 2 -B 1024000 -l /opt/flow_base_dir/ -p 9995
Make sure that /opt/data/nfsen directory is apache writable.i.e.
# chown -R apache:apache /opt/data/nfsen
Install nfsen using
# perl install.pm etc/nfsen.conf
# Make nfsen to start at boot. Please refer to reference links for writing a daemon script.
# chmod 755 nfsen && chkconfig –add nfsen && chkconfig nfsen on
Configure apche for nfsen.
———————————-
# vi /etc/httpd/conf.d/nfsen.conf
Alias /nfsen /var/www/nfsen
<Directory /var/www/nfsen/>
DirectoryIndex nfsen.php
Options -Indexes
order allow,deny
allow from all
</Directory>
# service httpd restart
Typical Errors
——————
If you encounter errors like:
Rebuilding profile stats for ‘./live’
Unable to create graph: No such file or directory
Error GenGraph: Profile: live, traffic-day: Legend set but no color: peer2 at libexec/NfSenRRD.pm line 337.
Unable to create graph: No such file or directory
Please ignore them. For some reason, pre-built graphs could not be generated. Make sure that RRD.pm is installed correctly.
After some time, the graphs will be rebuilt.
Another error you might encounter is – “ERROR: nfsend connect() error: Permission denied!” This is a permissions issue, as documented in – https://code.google.com/p/nfsenplugins/wiki/NFSEN_Installation_Gotchas. You need to make sure that the nfsen package can read the nfsen.comm socket file.
Typical checks
———————
Check whether fprobe is working correctly or not by using tcpdump. Fprobe is collecting traffic on interface eth0 and capturing network flows and sending it to port 9995 over udp.
tcpdump -n -i eth0 -v dst port 9995
Check if fprobe,nfcapd processes are running or not
# ps aux | grep fprobe
# ps axu | grep nfcapd
Create a soft link for nfsen
# ln -s /opt/nfsen/bin/nfsen /usr/sbin/nfsen
## You can start and stop nfsen using
# nfsen start
# nfsen stop
### Check status of nfsen daemon
# nfsen status
### If you change the configuration in nfsen.conf, do not forget to reconfigure nfsen by using command:
# nfsen reconfig
#### check if the required ports are listening to the traffic using netstat command:
# netstat -t -u -c
Reference Links:
I found the following blog entries to be useful for nfsen configuration: