Configure your network:
For this to work you need a smart switch that can mirror/clone traffic from one port to another, a computer to act as the flow generator, and a computer to act as the nfsen station.
In practice this means you will be mirroring the traffic you are interested in to a port to be connected to the monitoring station. I like to dedicate an interface on the monitoring station for this purpose; depending on your switch this might be mandatory as some switches will not let a system transmit through a switch set to "monitoring/mirroring" mode. (Note that 3Com used to call this mode "RMON Roving Port Analysis". Maybe they still do.)
Usually when doing pilots, the flow generating computer is the same as the nfsen computer.
Note that if your firewall/router is suitably advanced, you may be able to generate netflows internally from the device and therefore skip the fprobe steps completely.
This is all left as an exercise for the reader.
Download:
For the purposes of this example I am using:
These are available from rpmforge:
$ sudo yum install rrdtool rrdtool-devel perl-MailTools
You also need stuff like apache, perl, php, and the development tools, but all that stuff is available from base and/or update.
Other Stuff
Turn off selinux.
Install fprobe
I use my own .src.rpm. In practice you can just do it the straight forward way:
$ ./configure
$ sudo make install
Start running fprobe to generate netflows
Invocation:
# fprobe -fip -i device dest_ip:dest_port
Notes:
- dest_ip can be localhost if you are running this on the same computer.
- for best results, don't use the interface you are monitoring to send/receive the netflows (because their addition will skew the numbers slightly).
- You might be interested in -e and -q values depending on how busy your link is.
# fprobe -fip -i eth2 -e 120 -q 10240 10.16.5.45:999
Create a local user
nfsen wants to run as a local user, by default "netflow".
$ sudo useradd -G apache -d /var/lib/netflow netflow
I stick netflow stuff in /var for no good reason.
This local user must be a member of the group that the webserver runs as (on CentOS, it is apache).
Also, you have to make sure that the webserver's group has read-access to the nfsen tree; I usually do it like this:
$ sudo chown netflow:apache ~netflow
$ sudo chmod 750 ~netflow
Build and Install nfdump
$ ./configure --enable-nfprofile
$ make
$ sudo make install
Configure nfsen
I copy etc/nfsen-dist.conf to etc/nfsen.conf and then edit the copy.
Lines I change:
- $BASEDIR (I change it to live in /var/lib/netflow/nfsen-1.3 so that if I ever have multiple versions I can keep them separate)
- $WWWUSER/$WWWGROUP (change both to apache)
- %sources (remove the two samples, add your flow(s)); example to match the fprobe example above:
%sources = ( 'ns25-lan' => { 'port' => '999', 'col' => '#0000ff', 'type' => 'netflow' }, );
$ sudo install.pl etc/nfsen.conf
Start nfsen:
$ sudo nfsen-1.3/bin/nfsen start
Configure http to look at nfsen:
This is an example /etc/httpd/conf.d/nfsen.conf
Alias /nfsen /var/www/nfsen
DirectoryIndex nfsen.php
Options -Indexes
AllowOverride all
order allow,deny
allow from all
AuthType Basic
AuthUserFile /etc/httpd/conf/htpasswd.nfsen
AuthName "Access"
require valid-user
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc on
php_flag track_vars on
Note if you use the Auth stuff above you need to create and populate your relevant password file too:
sudo htpasswd -c /etc/httpd/conf/htpasswd.nfsen admin
New password:
Re-type new password:
...and restart httpd so that the change takes effect:
$ sudo /usr/sbin/service httpd restart
Make it all reasonably available
You'll want to ensure that the following things start on boot:
- fprobe
- nfsen
- httpd
Point your browser at the system where you installed nfsen and start playing.
If you get ugly messages about not being able to initialize globals (among other problems) then you almost certainly have selinux running (turn it off). Either that or you skipped the directory ownership/permissions step above.
A Brief Word About VLANs
If you are using VLANs on the wire you are sniffing, it depends on the switch type as to whether or not you need to get fancy. When I was hooked up to a 3Com 4900, a single fprobe instance attached to the interface read all VLANs correctly; when the 4900 was replaced by a Dell 3548, the single fprobe instance only read the outbound traffic and didn't read any of the inbound traffic. I had to create un-addressed interfaces for each VLAN and then run a separate fprobe instance for each interface (with an associated separate probe on the nfsen collector too).
eg:
vconfig add eth2 2024
ifconfig eth2.2024 up
fprobe -f"ip" -i eth2.2024 -e 120 -q 10240 172.30.0.159:997
vconfig add eth2 2045
ifconfig eth2.2045 up
fprobe -f"ip" -i eth2.2045 -e 120 -q 10240 172.30.0.159:996
Update: 2 June 2010
Notes about CentOS 5
Quasi-upgrade/new installation: my nfsen system has small, full disks. Instead of migrating the installation from a small disk to a large one, I decided to build a new system, copy the current data (plus assorted other things I've done with the historical data) to the new system, and go. Of course things are not so straight forward.
nfsen has been updated to 1.3.3. I cannot get 1.3.3 to install, it complains about 'docs' not being a valid directory. 1.3.2 works. Interestingly the 1.3.2 tar file is much larger than the 1.3.3 file was.
nfdump has been updated to 1.6.x. The format of the netflow files has changed and by default 1.6.1 won't read 1.5.x dump files. If you have some 1.5.x netflow files around you might want to read, you have to configure nfdump as so:
# ./configure --enable-compat15 --enable-nfprofile
If you are getting rrdtool and friends from rpmforge, beware that rpmforge has upgraded their latest available rrdtool to be 1.4.x (for EL 5.x anyways); nfsen won't deal with anything higher than the 1.3.x stream. I went to the rpmforge repo site in my web browser (which for me was 
http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/) and downloaded the versions I had been running on my older system, which were:
- perl-rrdtool-1.2.30-1.el5.rf.i386.rpm
- rrdtool-1.2.30-1.el5.rf.i386.rpm
- rrdtool-devel-1.2.30-1.el5.rf.i386.rpm
