Monitoring Network Traffic with Netflow
Pages: 1, 2, 3, 4

Collector Setup

Your collector gathers the data exported by the sensor and stores it on disk for long-term reference. If possible, install your collector on a Web server; it will make reporting much nicer and easier. I recommend flow-capture, a very popular Netflow collector included in the flow-tools package. On FreeBSD, flow-tools is in the Ports tree at /usr/ports/net-mgmt/flow-tools. Install it with the usual "make all install." Do not type make clean! You might have to rebuild some components by hand. For the same reason, don't use a precompiled flow-tools package.

Make a directory for flow-capture to keep its records. I usually use /var/log/netflow, but anywhere you have space works. On a multimegabit network, Netflow files can fill several GB of disk over a few weeks. I also recommend creating a saved subdirectory under your log directory, for the reporting system to use.

Now you need a startup script so flow-capture will run automatically at boot. A command like the following works nicely:

# /usr/local/bin/flow-capture -p /var/run/flow-capture.pid -n 287 \
    -N 0 -w /var/log/netflows/ -S 5 0/0/8818

Most of this you can use unchanged. The -w flag tells flow-capture where to place its files. The final argument tells flow-capture which local IP to listen to, which remote IP to listen to, and which UDP port it should listen on. In this case, 0/0/8818, the collector listens on all local IP addresses, for requests from any remote IP address, on port 8818. If you can receive random Internet traffic on your collector, specify a particular sensor IP in the middle value. (My collector is behind a firewall, and anyone who can sneak past the firewall would have no trouble deceiving flow-capture as well.) Flow-capture needs the -n 287, -N, and -S 5 arguments to interoperate with the reporting package, so leave them alone.

Once you start flow-capture, flow files will appear in your log directory. The names of these files come from the version of Netflow data they're gathering and the date and time at which this data began. For example, the filename tmp-v05.2005-04-28.201001-0400 indicates a temporary file, containing Netflow version 5 data, collected on April 28, 2005, starting at 20:10:01 (or 1 second after 8:10 p.m.), at -4 hours from GMT. Every five minutes, flow-capture moves the temporary file to a permanent location and starts a new temporary file. Permanent files begin with ft instead of tmp, but otherwise the names are exactly the same.

To confirm that your flow-capture install is actually collecting something, see if the temporary file grows. This should happen quickly, within a few minutes on a busy network.

The information in these files is in a binary format requiring special tools to read. Many of those tools use Cflow.pm.

Cflow.pm Setup

Many different Netflow reporting tools use the Cflow.pm perl module to read Netflow files. This includes a library and command-line tool for viewing and manipulating flow files. The hard part is that each collector has its own storage format. While the original purpose of Cflow.pm was to process cflowd(8) files, Cflow.pm can support other formats if properly installed.

This part is where most people give up on Netflow. Follow the directions carefully. Be sure to verify your work when your Cflow.pm install is complete.

Pages: 1, 2, 3, 4

Next Page

© 2013, O’Reilly Media, Inc.

(707) 827-7019 (800) 889-8969

All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.