https://hurlster.com/wiki/index.php?action=history&feed=atom&title=Netflow
Netflow - Revision history
2026-05-15T16:19:31Z
Revision history for this page on the wiki
MediaWiki 1.38.4
https://hurlster.com/wiki/index.php?title=Netflow&diff=2574&oldid=prev
Gqwill69: /* NFSEN */
2014-03-04T21:55:44Z
<p><span dir="auto"><span class="autocomment">NFSEN</span></span></p>
<p><b>New page</b></p><div>This is some utilities that relate to Netflow usage.<br />
<br />
== Samplicator ==<br />
This is an awesome lightweight utility to replicate/duplicate UDP packets.<br><br />
Get the file: http://code.google.com/p/samplicator/downloads/list<br><br />
follow the INSTALL file.<br />
<br />
* /etc/init.d/samplicator<br />
#! /bin/sh<br />
# /etc/init.d/samplicator<br />
#<br />
<br />
# This simple script merely stops and starts samplicator processes. Note that<br />
# additional listeners can be added to the *start* section below, with other<br />
# config files, as needed.<br />
#<br />
# CREATE: 'sudo nano /etc/init.d/samplicator', 'sudo chmod +x /etc/init./samplicator'<br />
# ADD TO STARTUP: 'sudo update-rc.d samplicator defaults'<br />
<br />
# Carry out specific functions when asked to by the system<br />
case "$1" in<br />
start)<br />
echo "Starting script samplicator "<br />
# -S (spoof source address) -f (fork into background) -p (listening port)<br />
/usr/local/bin/samplicate -S -f -p 2056 -c /etc/samplicator.conf<br />
# add other listeners<br />
# /usr/local/bin/samplicate -S -f -p 8885 -c /etc/samplicator02.conf<br />
# /usr/local/bin/samplicate -S -f -p 8886 -c /etc/samplicator03.conf<br />
<br />
;;<br />
stop)<br />
echo "Stopping script samplicator"<br />
# kill ALL samplicator listeners<br />
kill $(pgrep samplicate)<br />
;;<br />
*)<br />
echo "Usage: /etc/init.d/samplicator {start|stop}"<br />
exit 1<br />
;;<br />
esac<br />
<br />
exit 0<br />
<br />
* /etc/samplicator.conf<br />
# Sending Device : DestinationIPA/Port DestinationIPB/Port<br />
123.145.12.1:127.0.0.1/2057 127.0.0.1/2058 145.123.1.220/2054<br />
123.145.12.2:127.0.0.1/2057 127.0.0.1/2058 145.123.1.220/2054<br />
<br />
Thanks goto http://www.bradreese.com/blog/plixer-5-21-2010.htm<br />
<br />
== NFDUMP ==<br />
Utility to monitor(graph) netflow data and run reports on it.<br><br />
I followed the following guide, there were a few /fixes/ that had to be done and I didn't track them.<br><br />
http://terraltech.com/installation-and-configuration-of-nfdump-and-nfsen-on-ubuntu/<br />
<br />
apt-get update && apt-get install gcc flex librrd-dev make<br />
cd /usr/local/src/<br />
* Grab latest nfdump from '''http://sourceforge.net/projects/nfdump/files/stable/'''<br />
tar zxvf ''nfdump-latest.tar.gz''<br />
cd nfdump-latest<br />
./configure --enable-nfprofile --enable-nftrack<br />
make<br />
checkinstall(deb package maker) or 'make install'<br />
<br />
== NFSEN ==<br />
apt-get install apache2 libapache2-mod-php5 php5-common libmailtools-perl rrdtool librrds-perl libsocket6-perl<br />
cd /usr/local/src/<br />
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.6p1/nfsen-1.3.6p1.tar.gz<br />
tar zxvf nfsen-1.3.6p1.tar.gz<br />
cd nfsen-1.3.6p1<br />
* install the Socket6 perl module<br />
perl -MCPAN -e 'install Socket6'<br />
<br />
cp etc/nfsen-dist.conf /etc/nfsen.conf<br />
* Edit /etc/nfsen.conf<br />
$USER = "www-data";<br />
$WWWUSER = "www-data";<br />
$WWWGROUP = "www-data";<br />
%sources = (<br />
'MYROUTER' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },<br />
);<br />
$MAIL_FROM = 'MYEMAIL@MYDOMAIN.COM';<br />
$SMTP_SERVER = 'MY.SMTPSERVER.COM';<br />
<br />
mkdir -p /data/nfsen<br />
./install.pl /etc/nfsen.conf<br />
<br />
* Fix Socket6 (Ubuntu)<br />
In {DATADIR}/libexec/Lookup.pm & AbuseWhois.pm<br> <br />
Replace 'use Socket6;' with<br><br />
Socket6->import(qw(pack_sockaddr_in6 unpack_sockaddr_in6 inet_pton getaddrinfo));<br />
<br />
* Start it up<br />
cd /data/nfsen/bin<br />
./nfsen start<br />
* then stop it<br />
./nfsen stop<br />
* Make it a service<br />
<strike>ln -s /data/nfsen/bin/nfsen /etc/init.d/nfsen</strike><br />
nano /etc/init.d/nfsen<br />
* See http://www.hurlster.com/wiki/index.php/Netflow#NFsen_Init.d<br />
update-rc.d nfsen defaults 20<br />
/etc/init.d/nfsen start<br />
<br />
* Browse it<br />
http://YourIpAddress/nfsen/nfsen.php<br />
<br />
=== PortTracker ===<br />
Within the source directory, see contrib/PortTracker<br />
make sure nfdump is compiled with options "--enable-nfprofile --enable-nftrack"<br />
<br />
mkdir -p /data/nfsen/ports-db/<br />
chown www-data /data/nfsen/ports-db<br />
<br />
cd /usr/local/src/nfsen-1.3.6p1/contrib/PortTracker/<br />
cp PortTracker.pm /data/nfsen/plugins/<br />
cp PortTracker.php /var/www/nfsen/plugins/<br />
<br />
* Edit PortTracker.pm to change DB location<br />
my $PORTSDBDIR = "/data/nfsen/ports-db"; <br />
<br />
* Edit etc/nfsen.conf or etc/nfsen-dist.conf<br />
cd /usr/local/src/nfsen-1.3.6p1/<br />
@plugins = (<br />
[ 'live', 'PortTracker'],<br />
);<br />
<br />
* Rerun installation to build it<br />
./install.pl etc/nfsen.conf<br />
<br />
* Build DB<br />
This takes a little while<br />
sudo -u www-data nftrack -I -d /data/nfsen/ports-db<br />
<br />
* Start it up<br />
/etc/init.d/nfsen start<br />
<br />
=== NFsen Init.d ===<br />
<pre><br />
#!/bin/sh<br />
### BEGIN INIT INFO<br />
# Provides: nfsen<br />
# Required-Start: $network $local_fs $remote_fs<br />
# Required-Stop: $remote_fs<br />
# Default-Start: 2 3 4 5<br />
# Default-Stop: 0 1 6<br />
# Short-Description: nfsen<br />
# Description: nfdump tools<br />
# <...><br />
# <...><br />
### END INIT INFO<br />
<br />
# Author: John Francesco Ferlito <johnf@inodes.org><br />
<br />
# PATH should only include /usr/* if it runs after the mountnfs.sh script<br />
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/storage/data/nfsen/bin<br />
DESC=nfsen # Introduce a short description here<br />
NAME=nfsen # Introduce the short server's name here<br />
DAEMON=/storage/data/nfsen/bin/nfsen # Introduce the server's location here<br />
DAEMON_ARGS="" # Arguments to run the daemon with<br />
PIDFILE=/var/run/$NAME.pid<br />
SCRIPTNAME=/etc/init.d/$NAME<br />
USER=www-data<br />
GROUP=www-data<br />
<br />
# Exit if the package is not installed<br />
[ -x $DAEMON ] || exit 0<br />
<br />
# Read configuration variable file if it is present<br />
[ -r /etc/default/$NAME ] && . /etc/default/$NAME<br />
<br />
# Load the VERBOSE setting and other rcS variables<br />
. /lib/init/vars.sh<br />
<br />
# Define LSB log_* functions.<br />
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.<br />
. /lib/lsb/init-functions<br />
<br />
case "$1" in<br />
start)<br />
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"<br />
mkdir -p /var/run/nfsen<br />
sudo chown -R $USER.$GROUP /var/run/nfsen<br />
$DAEMON start<br />
case "$?" in<br />
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;<br />
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;<br />
esac<br />
;;<br />
stop)<br />
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"<br />
$DAEMON stop<br />
case "$?" in<br />
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;<br />
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;<br />
esac<br />
;;<br />
status)<br />
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?<br />
;;<br />
restart|force-reload)<br />
#<br />
# If the "reload" option is implemented then remove the<br />
# 'force-reload' alias<br />
#<br />
log_daemon_msg "Restarting $DESC" "$NAME"<br />
$DAEMON stop<br />
case "$?" in<br />
0|1)<br />
sudo chown -R $USER.$GROUP /var/run/nfsen<br />
$DAEMON start<br />
case "$?" in<br />
0) log_end_msg 0 ;;<br />
1) log_end_msg 1 ;; # Old process is still running<br />
*) log_end_msg 1 ;; # Failed to start<br />
esac<br />
;;<br />
*)<br />
# Failed to stop<br />
log_end_msg 1<br />
;;<br />
esac<br />
;;<br />
*)<br />
echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2<br />
exit 3<br />
;;<br />
esac<br />
<br />
:<br />
</pre><br />
<br />
== NTOPng ==<br />
Real time traffic monitor for local interface and netflow if wanted<br />
<br />
* Dependancy<br />
cd /usr/local/src/<br />
wget http://download.zeromq.org/zeromq-4.0.3.tar.gz<br />
tar zxvf zeromq-4.0.3.tar.gz<br />
cd zeromq-4.0.3<br />
./configure<br />
make && make install<br />
<br />
* SVN install<br />
svn co https://svn.ntop.org/svn/ntop/trunk/ntopng/<br />
cd ntopng<br />
./configure<br />
make<br />
make install<br />
<br />
mkdir /var/run/ntopng/<br />
chown nobody:nogroup /var/run/ntopng/<br />
<br />
* Edit /etc/ntopng/ntopng.start<br />
--local-networks "192.168.0.0/24"<br />
--interface eth0<br />
<br />
* Edit /etc/ntopng/ntopng.conf<br />
-G=/var/run/ntopng/ntopng.pid<br />
<br />
* Start it up<br />
/etc/init.d/ntopng start<br />
* Browse it (see below for reverse apache proxy)<br />
http://servername:3000<br />
<br />
'''Notes:'''<br><br />
Start nProbe that will act as a probe for ntopng<br />
nprobe –zmq “tcp://*:5556″ -i …..<br />
Start ntopng that will act as a collector (it listens on local port 5556)<br />
ntopng -i “tcp://127.0.0.1:5556″<br />
<br />
Reverse Proxy<br />
# add here<br />
<Proxy *><br />
Order deny,allow<br />
Allow from all<br />
</Proxy><br />
ProxyRequests Off<br />
RewriteEngine On<br />
RewriteCond %{HTTP_REFERER} www.website.com/ntop<br />
RewriteCond %{REQUEST_URI} !^/ntop/<br />
RewriteRule ^/(.*)$ http://www.website.com/ntop/$1 [L,R=permanent]<br />
<br />
RewriteCond %{REQUEST_URI} ^/ntop/<br />
RewriteRule ^/ntop/(.*)$ http://127.0.0.1:3000/$1 [L,P]<br />
<br />
<Location /ntop><br />
ProxyPass http://127.0.0.1:3000 retry=0 timeout=5<br />
ProxyPassReverse http://127.0.0.1:3000<br />
</Location><br />
<br />
[[Category:Linux]]</div>
Gqwill69