AddThis Social Bookmark Button


Monitoring Network Traffic with Netflow
Pages: 1, 2, 3, 4

On some recent versions of FreeBSD, /usr/ports/net-mgmt/p5-Cflow automatically detects the presence of the flow-tools libraries. Cflow links this library as -lnsl, and if the build process doesn't find it during the configure process you'll see a warning like:

Note (probably harmless): No library found for -lnsl

This warning is not harmless; it means that this Cflow build will not work for you. If you don't see this line, just install Cflow and see if it works. Cflow includes flowdumper(1), a program to read flow files on the command line. Check the largest flow file you have, so that you can be sure the record includes something to view.

#flowdumper -s ft-v05.2005-04-28.201501-0400 | more
2005/04/28 19:14:01 -> 6(SYN|ACK) 3 144
2005/04/28 19:14:01 -> 6(SYN) 1 48
2005/04/28 19:14:01 -> 6(SYN|ACK) 3 144
2005/04/28 19:14:01 -> 6(SYN) 1 48

Each line is a flow. This records the source and destination IPs of assorted TCP/IP transactions. You might notice that this particular snippet of four lines is actually only two TCP/IP sessions. The first line indicates that traffic is coming from, port 80, to the host The next line shows traffic from the second host going to the first.

If your Cflow install is faulty, flowdumper will return either silence or an error. You cannot proceed until you resolve this error--at least, you can't proceed if you want your reporting tools to work! Uninstall your current p5-Cflow package and build it another way.

Remember how I said to not clean the flow-tools port? Go back to the port directory, cd to the work subdirectory, and go to the source code directory. There is another Cflow tarball in a subdirectory named contrib. Extract it.

# cd /usr/ports/net-mgmt/flow-tools/work/flow-tools-0.67/contrib
# tar -xzvf Cflow-1.051.tar.gz

Cflow frequently picks up the proper library when installed from this location under a compiled flow-tools package. (This means that you have to have a built flow-tools in the directory above you; this is why I told you not to do a make clean.) Just follow the usual Perl module building process.

# perl Makefile.PL
# make
# make install

Try flowdumper again, and it should work.

On occasion, I've had even this fail. In that case, use brute force. Flow-tools installs libft.a under /usr/local/lib. Edit the section of's Makefile.PL where it checks for the flow-tools library:

sub find_flow_tools {
   my($ver, $dir);
   my($libdir, $incdir);
   if (-f '../../lib/libft.a') {
      $dir = '../../lib';
      $incdir = "-I$dir -I$dir/..";
      $libdir = "-L$dir";

Edit the line that reads

   if (-f '../../lib/libft.a') {

to read

   if (-f '/usr/local/lib/libft.a') {

If this fails, there's something seriously wrong with your Perl install. Now, run make and make install. You now have a flow-tools aware flowdumper, which indicates that the Perl module underlying it works correctly with your collector.

You can probably easily imagine a whole slew of Perl scripts that would take this data and generate pretty graphs and reports on usage, or identify peak bandwidth consumers. Other people have already done the heavy lifting on this one, however. My next article will look at creating pretty pictures from Netflow data.

Michael W. Lucas

Return to the Sysadmin DevCenter