Since my NFDump/DFSen Upgrade post many moons ago, I am once again doing an install for analyzing Netflow, this time on a server running Open vSwitch (OVS).
NFDump is a netflow collector. NFSen analyzes the netflow entries captured by NFDump.
Installing NFDump is easy using Debian's package:
apt install nfdump systemctl stop nfdump systemctl disable nfdump
The last two lines stop and disable the default service. Service control is provided with NFSen.
From a visualization perspective, there are a number of possibilities:
- NFSen Documentation is the main starting page for the code at SourceForge.
- NFSen on Github is p-alik's unofficial updated version of the original repository - my preferred location as it has some primary bug fixes and stays with the times
- mbolli / nfsen-ng - a modernized version of NFSen but doesn't appear to have the flexible query capability
- robcowart / elastiflow - I saw a link to this from Netflow collection and visualization with Elastiflow - which may have not relationship to NFDump / NFSen but seems promising none-the-less. Installation notes are at Installing Elastiflow flow monitoring solution.
From an NFSen perspective, here are the steps I used on a Debian Bullseye installation:
apt install wget less vim apt install php rrdtool librrd-dev librrds-perl php-rrd apt install libmailtools-perl apt install libsocket6-perl apt install git cd /usr/src git clone https://github.com/p-alik/nfsen.git cd nfsen cp etc/nfsen-dist.conf etc/nfsen.conf vim etc/nfsen.conf ./install.pl ./etc/nfsen.conf /usr/local/bin/nfsen start diff nfsen-dist.conf nfsen.conf
These are the changes to the nfsen.conf file: Continue reading "Netflow with NFDUMP, NFSEN and Open vSwitch and..." »