Monitoring Network Traffic with Netflow
Pages: 1, 2, 3, 4

Sensor Setup

The easiest software to install is the sensor. First, make sure that your sensor hardware can listen to all network traffic. Once you have that you can install sensor software. I recommend softflowd(8). Sortflowd runs out-of-the-box with a simple make all install clean on BSD and Linux, requiring only libpcap. (FreeBSD includes the ng_netflow netflow system, but as I have sensors running on Linux as well, I don't use it. I prefer to use a single piece of software on every operating system whenever possible.) Once you have softflowd installed, you only need the interface name you want to monitor and the IP address and UDP port where your collector is listening. For example, to listen on the em0 interface and send the collected data to 172.16.13.5, port 8818, run:

# softflowd -i em0 -n 172.16.13.5:8818

The sensor will immediately begin listening to the network and sending session information to the collector. Make sure that this program starts at boot!

Softflowd includes a control program, softflowctl(8), that allows you to issue commands to a running softflowd. To make sure that the software is actually working, check the softflow statistics after softflowd has been running for a few moments.

# softflowctl statistics
softflowd[40475]: Accumulated statistics:
Number of active flows: 2298
Packets processed: 268086
Fragments: 0
Ignored packets: 867 (867 non-IP, 0 too short)
Flows expired: 3103 (0 forced)
Flows exported: 6206 in 214 packets (0 failures)
...

The important output here is the second line, which tells you how many flows are active at the moment, and the exported line, which tells you how many flows softflowd has exported to the collector.

If you search, you can find a wide variety of sensors. Cisco routers can export Netflow data--at the expense of your router's precious CPU time. If you have a complicated router setup, or if you have a very low-end router, this can overload your router. Cisco would be very happy to sell you a router upgrade so that you could properly export Netflow, mind you, but generally a Unix-like box is more cost-effective. Many other devices also speak Netflow; check your documentation if you're interested.

If you have Ethereal or tcpdump installed, I recommend using it at this point to confirm that you are actually receiving Netflow data at your collector. If not, confirm that softflowd is running and perhaps try the -D (debug) flag to see if there are any problems with your setup.

Softflowd only sends flow information to the collector once the flow has ended--for example, when the FTP session ends, when the Web page has been delivered, and so on. This means that at any moment, softflowd will have a cache of connections in progress. When you stop softflowd, run softflowctl shutdown so that softflowd will expire those flows and send them to your collector immediately. Simply shutting down the server running softflowd will cause you to lose the active-but-incomplete flows. You're going to lose some information anyway if you reboot your sensor, but you might as well keep that loss as minimal as possible.

Pages: 1, 2, 3, 4

Next Page

© 2013, O’Reilly Media, Inc.

(707) 827-7019 (800) 889-8969

All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.