For a while now, I've been using the Flow-Tools set of netflow analysis tools. I've heard that Nfdump and Nfsen are the current netflow tools of choice. The weakness with Flow-tools has been in the web side. The command line tools are rich, but the graphical side has lacked a little. I'm hoping to see something better with this alternate tools set.
Peter Haag, the toolset author, has a presentation titled Watch Those
Flows. There is a second, larger paper called Watch your Flows with NfSen and NFDUMP.
Download, expand, and build the snapshot from Sourceforge Nfdump:
cd /usr/src
wget http://internap.dl.sourceforge.net/sourceforge/nfdump/nfdump-snapshot-20070208.tar.gz
tar -zxvf nfdump-snapshot-20070208.tar.gz
cd nfdump-snapshot-20070208
./configure
make
make install
There are man tools for each of the tools. There must be a separate nfcpad process for each neflow
source. So that collection starts on monitoring server boot, these can be placed in the /etc/rc.local config
file, which will be processed near the end of the operating system boot process. The author provides the
following as an example:
nfcapd -w -D -l /flow_base_dir/router1 -p 23456
nfcapd -w -D -l /flow_base_dir/router2 -p 23457
I've used (pre-create the directory):
nfcapd -p 9999 -l /var/local/nfdump/flows -S 7 -w -I bmr01
Each interface on a Cisco router should have the following:
interface fastethernet 0/0
ip route-cache flow
A basic config to export the flows would be:
ip flow-export
ip flow-export version 5
ip flow-cache timeout active 5
Note that even though lower end switches like 3550's, 3750's, and 3560's have some of the netflow
commands, they will only export process switched flows. Talk to your Cisco account manager, and as a
group, we may be able to influence Cisco to provide full netflow capability in 'every day' line of switches.
The alternative to this problem is to use nProbe utility from NTOP. Connect a promiscuous ethernet port to a spanned port on a
switch. nProbe will capture the packets, evaluate them, and forward netflows to the netflow capture utility.
As a bonus, nProbe is useful in VOIP networks as it knows how to evaluate RTP streams and forward helpful
statistics on a per flow basis. I'll try to write this up in another entry.
As a side note, I came across plixer
international, who were previouisly known as Somix Technologies. They have a netflow
analyzer available for downloading.