NFSen & NetFlow Exercise


0. NFSen may have already been installed for you.  If so skip to #8

1. Install nfdump

   [Nfdump is the netflow flow collector]

   On your NOC (10.X.2.1)

	$ sudo apt-get install nfdump

   Installed tools are :

   nfcapd nfdump nfreplay nfexpire nftest nfgen

2. Install RRD (round robin database)

	$ sudo apt-get install rrdtool

	$ sudo apt-get install librrdp-perl librrds-perl

3. Install PHP
	
	$ sudo apt-get install php5

	$ sudo /etc/init.d/apache2 restart

4. Now get nfsen - there is no Ubuntu package yet...

	$ cd

   	$ wget www.co.tt/files/nfsen-1.3.6p1.tar.gz

   Setting up NfSen

   	$ tar -xzf nfsen-1.3.6p1.tar.gz

   	$ cd nfsen-1.3.6p1/etc

   Edit the nfsen-dist.conf:
	
	$ cp nfsen-dist.conf nfsen.conf

	$ vi nfsen.conf

      - set the basedir variable

	  $BASEDIR = "/var/nfsen";

      - set the web site directory

          $HTMLDIR = "/var/www/html/nfsen/";

      - set the users:

	  $USER = "netflow"
	  $WWWUSER = 'www-data';
	  $WWWGROUP = 'www-data';

      - add the following line to the sources (between $sources = { and };
      	'rtr' => { 'port' => '2000', 'col' => '#0000ff' },

      - remove the other entries

      - set the path for the PREFIX where to find the nfdump tools:

	   $PREFIX = '/usr/bin';

      - set the buffer size to something small, so we see data quickly

	   $BUFFLEN = 2000;

   	... Save and exit

5. Create a netflow user on the system.

   	$ sudo useradd -d /var/netflow -G www-data -m -s /bin/false netflow

6. Initiating nfsen (**)

   	$ cd ..

	$ sudo perl install.pl etc/nfsen.conf

   [press 'return' when asked where perl is located.
    ignore "Can not get semaphore:" ]

7. Settng up your routers to generate flow data

        For this class the class router is already configured to provide 
        netflow data to all of you.
        
        (FYI: I used commands like
  "vyos@vyos# set system flow-accounting netflow server 10.203.2.1 port 2000"
        )

8. Starting Nfsen

   	$ cd /var/nfsen/bin

	$ sudo ./nfsen start

   (You can add the nfsen startup script to /etc/rc.local or
   somewhere similar to start it at bootup.)

   Watch your browser at http://10.X.2.1/nfsen/nfsen.php

   You may see a "Backend version missmatch".  This is a nfsen bug.
   Reload the page and it should be gone.

   Note that it will take several minutes for data to appear on your 
   graphs.

9. See next NFSEN slide presentation on how to set up channels.
   Only do the first part of Part 1 covering HTTP_TRAFFIC.
   Use your DNS server for "pcY".
   
   Summary:

   Click "live" and select "New Profile"
   Enter "HTTP_TRAFFIC" for the profile name.
   Select "New group" and enter groupX where X is your group number.
   Select "Individual channels" and "Shadow Profile"
   "Create Profile"
   Click on "+" under "Channel List"
   Enter "TOTAL_TRAFFIC" for "Channel name", Filter "any".
   Highlight "rtr1" and click ">>"
   Add Channel
   Add another channel by clicking "+" under "Channel List"
   Choose a "Channel name" like authgrpX.
   Pick another "Colour"
   "src port 80 and dst host 10.X.1.1" for Filter.
   Highlight "rtr1" and click ">>"
   Add Channel
   Next to "Status" click the green tick mark to activate your profile.
   Click in the "live" tab, select the group you created, and HTTP_TRAFFIC
   Then click on the "HOME" tab

10. Click on "live" on top right and select "New Profile".  In the Profile
    field enter "HTTP_TRAFFIC" and additionally create a new group
    called "groupX" where X is your group number.
    Select "individual channels" and "Shadow Profile".
    Then click "Create Profile"

11. Click on "+" sign in lower right hand corner.  On the next screen name the
    channel "TOTAL_TRAFFIC" and Filter "any".  Highlight "rtr" in Sources and
    click ">>".  Then "add channel".

12. Add another channel with the "+" sign. Pich another channel name like
    "HTTPatDNS" and another color.  Move "rtr" to the selected sources and
    set the Filter to "src port 80 and dst host 10.X.1.1" (you DNS).
    Then "add channel".

13. Click the green check mark at the lower right of the first box. You should
    see "OK".  Click on the "Home" tab and make sure "HTTP_TRAFFIC" is selected
    next to Profile:"

14. Log onto your DNS server (10.X.1.1).

    $ cd /tmp
    $ wget http://monitor.dnssek.org/BigFile
    $ rm /tmp/BigFile
    $ exit

15. It may take up to 15 min for nfsen to update. 
    Go to Graphs then Traffic then click on top graph for details.
    
    Once you see it working you might want to try:

      Details -> process
      then place mouse over an IP address and click