PacNOG5: Papeete, French Polynesia

Network Security Workshop

NFSen Lab Documents

NFdump

[Nfdump is the netflow flow collector]

1. Now install nfdump

# apt-get install nfdump

---

Installed tools are :

nfcapd nfdump nfreplay nfexpire nftest nfgen

---

NFSen

1. Now get nfsen

$ wget http://superb-west.dl.sourceforge.net/sourceforge/nfsen/nfsen-1.3.tar.gz

2. Setting up NfSen

$ tar -xzf nfsen-1.3.tar.gz

$ cd nfsen-1.3

$ cd etc

Edit the nfsen-dist.conf:

• set the basedir variable

$BASEDIR = "/var/nfsen";

• set the users:

$USER = "netflow"

$WWWUSER = 'www-data';

$WWWGROUP = 'www-data';

• add sources:

%sources = (

'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },

);

//// 'ident' => { 'port' => '<portnum>', 'col' => '<colour>' }

• set the path for the PREFIX where to find the nfdump tools:

# nfdump tools path

$PREFIX = '/usr/bin';

• set the buffer size to something small, so we see data quickly

# Receive buffer size for nfcapd - see man page nfcapd(1)

$BUFFLEN = 2000;

save and exit

3. Create a netflow user on the system.

# useradd -d /var/netflow -G www-data -m -s /bin/false netflow

4. Initiating nfsen

# cp nfsen-dist.conf nfsen.conf

# cd ..

# perl install.pl etc/nfsen.conf

[press 'return' when asked where perl is located ]

5. Starting Nfsen

# cd /var/nfsen/bin

# ./nfsen start

(You can add the nfsen startup script to /etc/init.d/rc.local or somewhere similar to start it at bootup.)

Watch your browser at http://localhost/nfsen/nfsen.php

6. Add more sources:

Go back to where you extracted your nfsen distribution.

# cd nfsen-1.3

# vi etc/nfsen.conf

%sources = (

'mgmtgw' => { 'port' => '2254', 'col' => '#0000ff' },

'lan1gw' => { 'port' => '2201','col' => '#00cc00' },

'lan3gw' => { 'port' => '2203','col' => '#000000' },

'lan4gw' => { 'port' => '2204','col' => '#ff0000' },

'nocgw' => { 'port' => '2205','col' => '#ffff00' },

);

Save & close.

# perl install.pl etc/nfsen.conf

/var/nfsen/bin/nfsen stop

/var/nfsen/bin/nfsen start