Nfsen & Nfdump

Topics: IP address, Time, Data Pages: 27 (7934 words) Published: August 24, 2012
User Documentation nfdump & NfSen
This is the combined documentation of nfdump & NfSen. Both tools are distributed under the BSD license and can be downloaded at nfdump nfsen This documentation describes nfdump tool v1.5 and NfSen v1.2.3.

1.1 NFDUMP tools overview
All tools support netflow v5, v7 and v9. nfcapd - netflow capture daemon. Reads the netflow data from the network and stores the data into files. Automatically rotate files every n minutes. ( typically every 5 min ) nfcapd reads netflow v5, v7 and v9 flows transparently. You need one nfcapd process for each netflow stream. nfdump - netflow dump. Reads the netflow data from the files stored by nfcapd. It's syntax is similar to tcpdump. If you like tcpdump you will like nfdump. Nfdump displays netflow data and can create lots of top N statistics of flows IP addresses, ports etc ordered by whatever order you like. nfprofile - netflow profiler. Reads the netflow data from the files stored by nfcapd. Filters the netflow data according to the specified filter sets ( profiles ) and stores the filtered data into files for later use. Mostly used by NfSen. nfreplay - netflow replay Reads the netflow data from the files stored by nfcapd and sends it over the network to another host. - cleanup old data Sample script to cleanup old data. You may run this script every hour or so. ft2nfdump – Optional binary: Reads and converts flow-tools data. Reads flow-tools data from files or from stdin in a chain of flow-tools commands and converts the data into nfdump format to be processed by nfdump.

1.2 Principle of Operation:
The goal of the design is to be able to analyze netflow data from the past as well as to track interesting traffic patterns continuously. The amount of time back in the past is limited only by the disk space available for all the netflow data. The tools are optimized for speed for efficient filtering. The filter rules look familiar to the syntax of tcpdump ( pcap like ).

User Documentation nfdump & NfSen Version 1.1 Author: Peter Haag


All data is stored to disk, before analyzing. This separates the process of storing and analyzing the data. The data is organized in a time based fashion. Every n minutes - typically 5 min - nfcapd rotates and renames the output file with the time stamp nfcapd.YYYYMMddhhmm of the interval e.g. nfcapd.200407110845 contains data from July 11th 2004 08:45 onward. Based on a 5min time interval, this results in 288 files per day. Analyzing the data can be done for a single file, or by concatenating several files for a single run. The output is either ASCII text or binary data, when saved into a file, ready to be processed again with the same tools. You may have several netflow sources - let's say 'router1' 'router2' and so on. The data is organized as follows: /flow_base_dir/router1 /flow_base_dir/router2 which means router1 and router2 are subdirs of the flow_base_dir. For each of the netflow sources you have to start an nfcpad process: nfcapd -w -D -l /flow_base_dir/router1 -p 23456 nfcapd -w -D -l /flow_base_dir/router2 -p 23457 A note on security: None of the tools requires root privileges, unless you have a port < 1024. However, there is no access control mechanism in nfcapd. It is assumed, that host level security is in place to filter the proper IP addresses. See the manual pages or use the -h switch for details on using each of the programs.

1.3 Configuration:
You need to configure your router to export netflow data. See the relevant documentation for your model. A generic CISCO sample to enable Netflow on an interface may look like: interface fastethernet 0/0 ip route-cache flow To tell the router where to send the netflow data, enter the following global configuration command:

User Documentation nfdump & NfSen Version 1.1 Author: Peter Haag


Continue Reading

Please join StudyMode to read the full document

Become a StudyMode Member

Sign Up - It's Free