Last active
June 29, 2022 05:54
-
-
Save PSJoshi/7802c1ac06a14a7bedfd376c98af5d5c to your computer and use it in GitHub Desktop.
nfsen-with-plugins installation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Installing fprobe/nfdump/nfsen with plugins like PortTracker: | |
------------------------------------------------------------- | |
1) Make sure that SELinux is disabled. | |
vi /etc/selinux/config | |
set SELINUX=disabled | |
2) Start and enable httpd at boot | |
# service httpd start | |
# chkconfig httpd on | |
3) Install required rpms | |
--------------------- | |
#yum groupinstall development tools | |
yum install gcc make httpd php perl rrdtool rrdtool-devel rrdtool-perl perl-MailTools perl-Socket6 perl-TimeDate flex byacc bison libpcap libpcap-devel -y | |
4) Install fprobe | |
--------------- | |
Download fprobe from SourceForge Site - https://sourceforge.net/projects/fprobe/files/latest/download | |
Then, | |
# tar -xjvf fprobe-1.11.tar.bz2 | |
# cd fprobe-1.11 | |
# ./configure | |
# make | |
# make install | |
Now run fprobe using command – /usr/local/sbin/fprobe -i eth0 -f”ip” -n7 remote:port | |
e.g. | |
# /usr/local/sbin/fprobe -i eth0 -f”ip” -n7 127.0.0.1:9995 | |
and make sure that the process is running using ‘ps aux’ command. | |
5) Install nfdump | |
------------------------ | |
Download nfdump http://nfdump.sourceforge.net/. | |
Download nfdump from SourceForge Site and install | |
# tar -zxvf nfdump-1.6.11.tar.gz | |
# cd nfdump-1.6.11 | |
nfdump-1.6.11]# ./configure –enable-nfprofile –enable-nftrack –enable-nfpcapd | |
nfdump-1.6.11]# make | |
nfdump-1.6.11]# make install | |
### You can check whether nfcapd can collect network data or not using | |
# nfcapd -w -D -S 2 -B 1024000 -l /opt/nfcapd_test/ -p 9995 | |
6) Install nfsen | |
----------------- | |
Download NfSen http://nfsen.sourceforge.net/. | |
#useradd netflow | |
#sudo usermod -G apache netflow | |
# tar zxf nfsen-1.3.7.tar.gz | |
# cd nfsen-1.3.7/etc | |
# cp nfsen-dist.conf nfsen.conf | |
# vim nfsen.conf | |
Assuming that nfsen is under /opt, uncommented version of nfsen.conf should typically look like this: | |
[root@psj nfsen]# cat /home/joshi/Downloads/nfsen-1.3.6p1/etc/nfsen.conf |grep -v ^#|grep -v ^$ | |
$BASEDIR = "/opt/nfsen"; | |
$BINDIR="${BASEDIR}/bin"; | |
$LIBEXECDIR="${BASEDIR}/libexec"; | |
$CONFDIR="${BASEDIR}/etc"; | |
$HTMLDIR = "/opt/nfsen/www/"; | |
$DOCDIR="${HTMLDIR}/doc"; | |
$VARDIR="${BASEDIR}/var"; | |
$PROFILESTATDIR="${BASEDIR}/profiles-stat"; | |
$PROFILEDATADIR="${BASEDIR}/profiles-data"; | |
$BACKEND_PLUGINDIR="${BASEDIR}/plugins"; | |
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins"; | |
$PREFIX = '/usr/local/bin'; | |
$USER = "netflow"; | |
$WWWUSER = "apache"; | |
$WWWGROUP = "apache"; | |
$BUFFLEN = 200000; | |
$SUBDIRLAYOUT = 1; | |
$ZIPcollected = 1; | |
$ZIPprofiles = 1; | |
$PROFILERS = 2; | |
$DISKLIMIT = 98; | |
$PROFILERS = 6; | |
%sources = ( | |
'test' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' }, | |
#'peer1' => { 'port' => '9996', 'IP' => '172.16.17.18' }, | |
#'peer2' => { 'port' => '9996', 'IP' => '172.16.17.19' }, | |
); | |
$low_water = 90; | |
$syslog_facility = 'local3'; | |
@plugins = ( | |
# profile # module | |
# [ '*', 'demoplugin' ], | |
); | |
%PluginConf = ( | |
# For plugin demoplugin | |
demoplugin => { | |
# scalar | |
param2 => 42, | |
# hash | |
param1 => { 'key' => 'value' }, | |
}, | |
# for plugin otherplugin | |
otherplugin => [ | |
# array | |
'mary had a little lamb' | |
], | |
); | |
$MAIL_FROM = 'your@from.example.net'; | |
$SMTP_SERVER = 'localhost'; | |
$MAIL_BODY = q{ | |
Alert '@alert@' triggered at timeslot @timeslot@ | |
}; | |
1; | |
Install nfsen now using: | |
# cd .. | |
#perl install.pl etc/nfsen.conf | |
# make sure that apache has permissions to write in /opt/nfsen. If not, change permissions: | |
# chown -R netflow:apache /opt/nfsen | |
[root@psj nfsen]# ls -l | |
total 32 | |
drwxr-xr-x 2 root apache 4096 May 12 14:33 bin | |
drwxr-xr-x 2 root apache 4096 May 12 15:17 etc | |
drwxr-xr-x 2 root apache 4096 May 12 14:33 libexec | |
drwxr-xr-x 2 root apache 4096 May 12 15:07 plugins | |
drwxrwxr-x 3 netflow apache 4096 May 12 14:33 profiles-data | |
drwxrwxr-x 3 netflow apache 4096 May 12 14:33 profiles-stat | |
drwxrwxr-x 6 netflow apache 4096 May 12 14:33 var | |
drwxr-xr-x 6 netflow apache 4096 May 12 14:33 www | |
# Make nfsen to start at boot. Please refer to reference links for writing a daemon script. | |
# chmod 755 nfsen && chkconfig –add nfsen && chkconfig nfsen on | |
Configure apache | |
---------------- | |
[root@psj nfsen]# cat /etc/httpd/conf.d/nfsen.conf | |
Alias /nfsen /opt/nfsen/www/ | |
<Directory /opt/nfsen/www/> | |
DirectoryIndex nfsen.php | |
Options -Indexes | |
order allow,deny | |
allow from all | |
</Directory> | |
Now, you can start nfsen using | |
# service nfsen start | |
and browse the web-frontend using http://localhost/nfsen | |
Typical issues: | |
-------------- | |
nfsen[28855]: Error reading channel stat information. Missing key 'first' in /var/log/messages | |
If you see, Nfsen seems to be working fine for 'live' profile, don't worry. | |
Goto stats tab in the web interface and edit 'live' profile. | |
Set some meaningful expire values for this profile. This will automatically | |
fix this. NfSen expects all profiles to have either time or size expire values. | |
Installing PortTracker plugin | |
------------------------------ | |
Make a directory for the nftrack data | |
------------------------------------- | |
mkdir /var/ports-db | |
chown -R netflow:apache /var/ports-db | |
Modify portsdb directory | |
------------------------- | |
Go to the directory where-in you have downloaded and extracted nfsen-1.3.6p1 files: | |
$ cd nfsen-1.3.6p1/contrib/PortTracker | |
$ vim PortTracker.pm | |
Find the line: | |
my $PORTSDBDIR = "/data/ports-db"; | |
and change it to: | |
my $PORTSDBDIR = "/var/ports-db"; | |
Save and exit. | |
Install the plugin into the nfsen directory | |
----------------------------------------------- | |
$ sudo cp PortTracker.pm /opt/nfsen/plugins/ | |
$ sudo cp PortTracker.php /opt/nfsen/plugins/ | |
$ sudo cp PortTracker.php /opt/nfsen/www/plugins/ | |
Add the plugin definition to the nfsen.conf configuration | |
--------------------------------------------------------- | |
$ cd /opt/nfsen/etc | |
$ sudo vim nfsen.conf | |
Find the plugins section and make it look like this: | |
@plugins = ( | |
[ 'live', 'PortTracker'], | |
); | |
Save and exit from the file. | |
Initialize the PortTracker database files | |
------------------------------------------ | |
$ sudo -u netflow nftrack -I -d /var/ports-db | |
or run at root and then change privileges | |
# /usr/local/bin/nftrack -I -d /var/ports-db | |
Create DBs ... | |
Creating udp:bytes | Left: 1 filessess | |
Port DBs initialized. | |
# chown -R netflow:apache /var/ports-db | |
(This can take a LONG time! - 8 GB worth of files will be created) | |
$ sudo chmod 775 /var/ports-db | |
$ sudo chmod 664 /var/ports-db/* | |
Restart NfSen | |
------------------ | |
$ sudo service nfsen reload | |
Check for success: | |
$ grep -i 'porttracker.*success' /var/log/messages | |
Oct 12 13:19:35 pc1 nfsen[28005]: Loading plugin 'PortTracker': Success | |
Oct 12 13:19:35 pc1 nfsen[28005]: Initializing plugin 'PortTracker': Success | |
Wait some minutes, and go the the nfsen GUI | |
select the Plugins tab. | |
You may get an error that "No plugins available!": if so, quit and re-start your browser. | |
You may get "Error reading stat". You will need to wait a few minutes before NfSen will begin to show the graphs. | |
Some ways to test if the plugin is working correctly or not | |
------------------------------------------------------------ | |
[root@psj nfsen]# /usr/local/bin/nftrack -d /var/ports-db/ -r /opt/nfsen/profiles-data/live/test/nfcapd.current.20861 -s | |
The nftrack process with pid 21126 died unexpectedly! | |
Segmentation fault | |
If you face segmentation fault, reconstruct 'ports-db' database again after stopping nfsen. | |
Check profile statistics | |
------------------------- | |
[root@psj nfsen]# cd /opt/nfsen | |
[root@psj nfsen]# ./bin/nfsen -l live | |
name live | |
group (nogroup) | |
tcreate Wed May 11 15:20:00 2016 | |
tstart Thu May 12 09:50:00 2016 | |
tend Thu May 12 12:00:00 2016 | |
updated Thu May 12 12:00:00 2016 | |
expire 0 hours | |
size 176.0 KB | |
maxsize 100.0 MB | |
type live | |
locked 0 | |
status OK | |
version 130 | |
channel netflow sign: + colour: #0000ff order: 1 sourcelist: netflow Files: 27 Size: 180224 | |
Test plugin | |
---------- | |
[root@psj nfsen]# cd /opt/nfsen | |
[root@psj nfsen]# ./bin/testPlugin -p demoplugin -P live -t 201605121155 | |
Load plugin 'demoplugin' : Success | |
Initialize plugin : Success | |
Run plugin 'demoplugin' with profile 'live' at '201605121155' | |
Plugin run successfully, at least as far as I can tell ... | |
Useful sources | |
------------- | |
https://nsrc.org/workshops/2014/nsrc-tein-ait/raw-attachment/wiki/Agenda/exercise5-NfSen-PortTracker.htm | |
http://steronius.blogspot.in/2013/05/install-nfsight-plugin-for-nfsen-on.html | |
http://serverfault.com/questions/430148/initializing-portracker-database-files-in-nfsen | |
https://github.com/mdjunior/nfsen-plugins | |
https://github.com/sown/nfsen/blob/master/contrib/PortTracker/INSTALL | |
https://github.com/phaag/nfdump |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment