Netflow
Jump to navigation
Jump to search
This is some utilities that relate to Netflow usage.
Samplicator
This is an awesome lightweight utility to replicate/duplicate UDP packets.
Get the file: http://code.google.com/p/samplicator/downloads/list
follow the INSTALL file.
- /etc/init.d/samplicator
#! /bin/sh
# /etc/init.d/samplicator
#
# This simple script merely stops and starts samplicator processes. Note that
# additional listeners can be added to the *start* section below, with other
# config files, as needed.
#
# CREATE: 'sudo nano /etc/init.d/samplicator', 'sudo chmod +x /etc/init./samplicator'
# ADD TO STARTUP: 'sudo update-rc.d samplicator defaults'
# Carry out specific functions when asked to by the system
case "$1" in
start)
echo "Starting script samplicator "
# -S (spoof source address) -f (fork into background) -p (listening port)
/usr/local/bin/samplicate -S -f -p 2056 -c /etc/samplicator.conf
# add other listeners
# /usr/local/bin/samplicate -S -f -p 8885 -c /etc/samplicator02.conf
# /usr/local/bin/samplicate -S -f -p 8886 -c /etc/samplicator03.conf
;;
stop)
echo "Stopping script samplicator"
# kill ALL samplicator listeners
kill $(pgrep samplicate)
;;
*)
echo "Usage: /etc/init.d/samplicator {start|stop}"
exit 1
;;
esac
exit 0
- /etc/samplicator.conf
# Sending Device : DestinationIPA/Port DestinationIPB/Port 123.145.12.1:127.0.0.1/2057 127.0.0.1/2058 145.123.1.220/2054 123.145.12.2:127.0.0.1/2057 127.0.0.1/2058 145.123.1.220/2054
Thanks goto http://www.bradreese.com/blog/plixer-5-21-2010.htm
NFDUMP
Utility to monitor(graph) netflow data and run reports on it.
I followed the following guide, there were a few /fixes/ that had to be done and I didn't track them.
http://terraltech.com/installation-and-configuration-of-nfdump-and-nfsen-on-ubuntu/
apt-get update && apt-get install gcc flex librrd-dev make cd /usr/local/src/
- Grab latest nfdump from http://sourceforge.net/projects/nfdump/files/stable/
tar zxvf nfdump-latest.tar.gz cd nfdump-latest ./configure --enable-nfprofile --enable-nftrack make checkinstall(deb package maker) or 'make install'
NFSEN
apt-get install apache2 libapache2-mod-php5 php5-common libmailtools-perl rrdtool librrds-perl libsocket6-perl cd /usr/local/src/ wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz tar zxvf nfsen-1.3.6p1.tar.gz cd nfsen-1.3.6p1
- install the Socket6 perl module
perl -MCPAN -e 'install Socket6'
cp etc/nfsen-dist.conf /etc/nfsen.conf
- Edit /etc/nfsen.conf
$USER = "www-data";
$WWWUSER = "www-data";
$WWWGROUP = "www-data";
%sources = (
'MYROUTER' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
);
$MAIL_FROM = 'MYEMAIL@MYDOMAIN.COM';
$SMTP_SERVER = 'MY.SMTPSERVER.COM';
mkdir -p /data/nfsen ./install.pl /etc/nfsen.conf
- Fix Socket6 (Ubuntu)
In {DATADIR}/libexec/Lookup.pm & AbuseWhois.pm
Replace 'use Socket6;' with
Socket6->import(qw(pack_sockaddr_in6 unpack_sockaddr_in6 inet_pton getaddrinfo));
- Start it up
cd /data/nfsen/bin ./nfsen start
- then stop it
./nfsen stop
- Make it a service
ln -s /data/nfsen/bin/nfsen /etc/init.d/nfsennano /etc/init.d/nfsen * See http://www.hurlster.com/wiki/index.php/Netflow#NFsen_Init.d update-rc.d nfsen defaults 20 /etc/init.d/nfsen start
- Browse it
http://YourIpAddress/nfsen/nfsen.php
PortTracker
Within the source directory, see contrib/PortTracker
make sure nfdump is compiled with options "--enable-nfprofile --enable-nftrack"
mkdir -p /data/nfsen/ports-db/ chown www-data /data/nfsen/ports-db
cd /usr/local/src/nfsen-1.3.6p1/contrib/PortTracker/ cp PortTracker.pm /data/nfsen/plugins/ cp PortTracker.php /var/www/nfsen/plugins/
- Edit PortTracker.pm to change DB location
my $PORTSDBDIR = "/data/nfsen/ports-db";
- Edit etc/nfsen.conf or etc/nfsen-dist.conf
cd /usr/local/src/nfsen-1.3.6p1/ @plugins = ( [ 'live', 'PortTracker'], );
- Rerun installation to build it
./install.pl etc/nfsen.conf
- Build DB
This takes a little while
sudo -u www-data nftrack -I -d /data/nfsen/ports-db
- Start it up
/etc/init.d/nfsen start
NFsen Init.d
#!/bin/sh
### BEGIN INIT INFO
# Provides: nfsen
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: nfsen
# Description: nfdump tools
# <...>
# <...>
### END INIT INFO
# Author: John Francesco Ferlito <johnf@inodes.org>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/storage/data/nfsen/bin
DESC=nfsen # Introduce a short description here
NAME=nfsen # Introduce the short server's name here
DAEMON=/storage/data/nfsen/bin/nfsen # Introduce the server's location here
DAEMON_ARGS="" # Arguments to run the daemon with
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
USER=www-data
GROUP=www-data
# Exit if the package is not installed
[ -x $DAEMON ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
mkdir -p /var/run/nfsen
sudo chown -R $USER.$GROUP /var/run/nfsen
$DAEMON start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
$DAEMON stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
$DAEMON stop
case "$?" in
0|1)
sudo chown -R $USER.$GROUP /var/run/nfsen
$DAEMON start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
exit 3
;;
esac
:
NTOPng
Real time traffic monitor for local interface and netflow if wanted
- Dependancy
cd /usr/local/src/ wget http://download.zeromq.org/zeromq-4.0.3.tar.gz tar zxvf zeromq-4.0.3.tar.gz cd zeromq-4.0.3 ./configure make && make install
- SVN install
svn co https://svn.ntop.org/svn/ntop/trunk/ntopng/ cd ntopng ./configure make make install
mkdir /var/run/ntopng/ chown nobody:nogroup /var/run/ntopng/
- Edit /etc/ntopng/ntopng.start
--local-networks "192.168.0.0/24" --interface eth0
- Edit /etc/ntopng/ntopng.conf
-G=/var/run/ntopng/ntopng.pid
- Start it up
/etc/init.d/ntopng start
- Browse it (see below for reverse apache proxy)
http://servername:3000
Notes:
Start nProbe that will act as a probe for ntopng
nprobe –zmq “tcp://*:5556″ -i …..
Start ntopng that will act as a collector (it listens on local port 5556)
ntopng -i “tcp://127.0.0.1:5556″
Reverse Proxy
# add here
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
RewriteEngine On
RewriteCond %{HTTP_REFERER} www.website.com/ntop
RewriteCond %{REQUEST_URI} !^/ntop/
RewriteRule ^/(.*)$ http://www.website.com/ntop/$1 [L,R=permanent]
RewriteCond %{REQUEST_URI} ^/ntop/
RewriteRule ^/ntop/(.*)$ http://127.0.0.1:3000/$1 [L,P]
<Location /ntop>
ProxyPass http://127.0.0.1:3000 retry=0 timeout=5
ProxyPassReverse http://127.0.0.1:3000
</Location>