The main script used by nfsen is nfsen. There are many commercial or sflow, jflow, rflow, cflow, or netstream that are and use that we've recently detailed in this post that are also Free of charge too. Depending on your setup, you may generate a firehose worth of data. My first collector was the based stuff back around 13 years ago. The amount of time back in the past is limited only by the disk space available for all the netflow data. In the nfsen directory do this sudo.
. The record statistics can be formated according to the available output formats given by -o see above. It is launched by NfSen. See the relevant documentation for your model. See the relevant documentation for a full description of netflow commands. For simplicity you can use user netflow. The default format is line, unless otherwise specified.
They will get removed in future versions. Analyzing the data can be done for a single file, or by concatenating several files for a single run. Raw format: The raw format displays each record in multiple lines, and prints any available information in the record. I assume this is the only traffic that you are seeing right now. To have this working properly you have to configure the e-mail server and the sender. Can be 'netflow' or 'sflow'. The details page has a couple of options to fine tune what you are seeing.
Adding sources to nfsen If you want to add an additional netflow source to nfsen you will have to add it to the nfsen. Check them out and let us know what you think. Not finding what you are looking for? This makes it very powerful and very useful for nearly anyone, from the small technology tinkerer to to the enterprise network engineer up through the service provider architect. Click on the stats tab for the live profile and edit each channel list. Principle of Operation: The goal of the design is to able to analyze netflow data from the past as well as to track interesting traffic patterns continuously. The nfdump process needs its own user. Check them out if you want to see what they're all about.
That is the page that will allow you to get the most out of netflow. These are great if you are just getting into network analysis using Netflow, as they are designed to be Very user friendly and can be setup in relatively little time. This will go away if you reload the page, it's not a problem. An existing alert also holds a graphical overview of traffic that matched the nfdump query. The use of the nfsen web interface, together with a couple of examples, is described in detail on the website. If you answer 'no' below, you will enter an interactive dialog for each configuration option instead. Provide details and share your research! In practice this means you will be mirroring the traffic you are interested in to a port to be connected to the monitoring station.
The format of the netflow files has changed and by default 1. The ordering of the flags is not relevant. To concert a file: ft2nfdump -r nfdump -w. Now lets extract and install nfdump tar -zxvf nfdump-1. Alerts Nfsen has a feature that allows you to get e-mail alerts when an nfdump query is matched. Both of which I can confirm work wonderfully the above collector is gathering flows from softflowd running on my as well as exported flows from pfflowd on a router. Install init script In order to have nfsen start and stop automatically when the system starts, add a link to the init.
If you get ugly messages about not being able to initialize globals among other problems then you almost certainly have selinux running turn it off. Basically nfsen puts togheter nfdump command line arguments. Ok, now you have absolutely no good reason not to be collecting flow data. The default web interface has a couple of tabs. A profile is defined by its name, type and one or more profile filters.
This is all left as an exercise for the reader. . The software was developed by Aptivate staff and volunteers and looks to still be active. A last resort is to sleep for some time. After you navigate to a new page you get a cookie. You need to make sure that the nfsen package can read the nfsen. There is a patch to fix it , I never bothered since it did not cause any issues for me.
You may see a message such as: Frontend - Backend version mismatch! This allows easy package removal later. Install tcpdump and verify that flows are being send on specified port. All flow are filtered before they are further processed. Compilation failed in require at. Found myself having to do this a few times now and it usually ends up being quite messy in the end so some nice clean instructions from a real sysadmin. . This is the most flexibel format, as you can specify yourself how the output looks like.
If the above conditions are not satisfied then add some other code that waits for the process to drop all resources that could be needed by services started subsequently. Remember: man nfcapd is your friend! You can let me pick mirrors for you, you can select them from a list or you can enter them by hand. Of course things are not so straight forward. I am using Nfsen version 1. There are some other great things you can do with flow data, too, specifically sflow.