- Generate netflow traffic (simulator) in linux box
- Map the generated data as visual graphs
Situation :
"Recently I needed some NetFlow data samples, I’ve looked all over the internet for some of those, but for obvious privacy reasons there were none. No one shares their NetFlow data. Not even a little sample. So what could I do, I had no Cisco equipments to generate traffic on and then to collect it in data flows. So I’ve improvised by using my laptop as a router in the campus network and collecting the traffic that went through it in data flows. This post is about how to generate and collect Netflow data on your own network."
Tools used :
- softflowd : https://github.com/davidediger/softflowd : Netflow generator daemon
- nfdump : https://github.com/phaag/nfdump : Netflow dump
- nfsen : https://github.com/sown/nfsen : Visualization tool for nfdump
# apt-get install softflowd
INTERFACES = "any" OPTIONS = "-n 127.0.0.1:9995"
# /etc/init.d/softflowd start
If you don’t want to wait for the flows to expire, you may force them to by running this:
# softflowd -c /var/run/softflowd.ctl expire-all
nfdump - install and test the collector
The nfdump package is a suite of tools, one of which is nfcapd, which is the collector, and nfdump which is the display and analysis program. There are some other tools included as well, but those are the major commands we need to know about. To install nfdump run:
# apt-get install nfdump
# nfcapd -D -l /var/cache/nfdump
# lsof -Pni | grep nfcapd
We should wait awhile for some data to be produced, but to see what that data looks like we could run the following command:
# nfdump -R /var/cache/nfdump/ | head -5
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2015-09-10 18:45:05.243 0.000 UDP 158.121.23.138:59026 -> 158.121.23.255:8083 1 49 1
2015-09-10 18:45:08.107 0.000 UDP 158.121.22.94:68 -> 255.255.255.255:67 2 656 1
2015-09-10 18:42:29.532 161.807 UDP 158.121.23.0:68 -> 255.255.255.255:67 3 984 1
2015-09-10 18:45:08.458 4.103 UDP 158.121.22.94:137 -> 158.121.23.255:137 4 312 1
#sudo softflowctl -c /var/run/softflowd.ctl expire-all
#nfdump -R /var/cache/nfdump/ | head -5
nfsen : A nice visualization tool for
Download nfsen-1.3.8 bundle
#tar -xvf nfsen-1.3.8.tar.gz
#cd nfsen-1.3.8/
Make sure you make a copy of nfsen.conf template and ready for editing it
#sudo ./install.pl etc/nfsen.conf
#sudo apt-get install rrdtool
#sudo ./install.pl etc/nfsen.conf
#perl -MCPAN -e 'install RRD::Simple'
#wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.3.tar.gz
#gunzip -c rrdtool-1.4.3.tar.gz | tar xf -
#cd rrdtool-1.4.3/
#sudo apt-get install libpangol.0-dev libxml2-dev
#sudo apt-get install libpangol.O-dev libxml2-dev
#sudo apt-get install libpango1.0-dev libxml2-dev
#./configure --prefix=$INSTALL_DIR && make && make install
#sudo ./configure --prefix=$INSTALL_DIR && make && make install
#sudo ./install.pl etc/nfsen.conf
#sudo ./install.pl etc/nfsen.conf
#aptitude install rrdtool librrd2-dev librrd-dev librrd4 librrds-perl librrdp-perl
#sudo aptitude install rrdtool librrd2-dev librrd-dev librrd4 librrds-perl librrdp-perl
#sudo apt-get install php5
#netstat -autn | grep -i listen
#vi etc/nfsen.conf
#sudo useradd -d /var/netflow -G www-data -m -s /bin/false netflow
#sudo perl install.pl etc/nfsen.conf
#vi etc/nfsen.conf
#sudo perl install.pl etc/nfsen.conf
#sudo instmodsh
#sudo perl -MCPAN -e 'install Mail::Header'
#sudo perl install.pl etc/nfsen.conf
#sudo perl -MCPAN -e 'install Socket6'
#sudo perl install.pl etc/nfsen.conf
#sudo ps -ef | grep nfsen
#sudo ./nfsen start
#sudo nano /etc/apache2/sites-available/000-default.conf
#sudo vi /etc/apache2/apache2.conf
References :
- All above are documented here : https://github.com/beeyeas/spark-playground/tree/master/netflow
- nfsen : http://nfsen.sourceforge.net/#mozTocId778656
- http://elf11.github.io/2015/09/10/NetFlows-data-generation.html
- http://meetings.ripe.net/ripe-50/presentations/ripe50-plenary-tue-nfsen-nfdump.pdf
- https://farisy18.wordpress.com/tag/rrdtool/