Take control of your network traffic with Nfsen/nfdump

In my search for a good netflow collector i came across nfsen as a graphical interface and decided to give it a try. Nfsen gives you the ability to use custom filters to select internet traffic, protocols and such. To use nfsen you need rrdtool, php5 and apache2 installed on your system, i used Debian in this example.

NFsenInstall some other tools that we will need:
apt-get install gcc flex librrd-dev make

Now you are ready to install nfdump (the collector) with the following command:
apt-get install nfdump

Now install Apache, php, rrd etc:
apt-get install apache2 libapache2-mod-php5 php5-common libmailtools-perl rrdtool librrds-perl

Go to the website of nfsen on sourceforge and download the latest version to your machine, extract it and go in to the folder:
tar xzvf nfsen-1.3.x.tar.gz; cd nfsen-1.3.x

In the folder etc/ you will find the config, we have to copy this to our /etc folder en edit it:
cp etc/nfsen-dist.conf /etc/nfsen.conf
nano /etc/nfsen.conf

Look for the following items and change them according to your configuration:
$USER = “www-data”;
$WWWUSER = “www-data”;
$WWWGROUP = “www-data”;

In my case debian runs under the user www-data but this could be anything depending on your configuration. Now go to the headline ‘%sources’ and add your first host to monitor.
%sources = (
‘router-1’ => { ‘port’ => ‘9996’, ‘col’ => ‘#000000’, ‘type’ => ‘netflow’ },

Now, go back to the extracted tolder of nfsen and run the installer like this:
mkdir -p /data/nfsen
./ /etc/nfsen.conf

This will place all the files we need in the /data/nfsen folder and setup the rest. Were good to go and we can start it now.
cd /data/nfsen/bin
./nfsen start

Thats it, done! Now go to the website in your browser ( http://xx.xx.xx.xx/nfsen/nfsen.php ) and wait for +/- 20 minutes to see the results. Seriously, wait at least 15 minutes before thinking it doesn’t work (it takes some time).

NFsen interface
When you go to the page you will see the TCP, UDP, ICMP and total traffic graphs filling with information. When you click on it, going in detail mode, it shows you a bigger graph in which you can select a time/date to zoom in on. That way you can always investigate what happened 5 minutes, an hour or 3 days ago. This is something that i really missed when using only Cacti/MRTG etc.

On the detail page, below the graph, you see a form with several selection menu’s. Here you can run a very detailed selection on that specific moment and see what traffic caused the peek and/or to what network that data was flowing.

NFsen Detail

Are you a network administrator and want to secure the network, and/or the users, from botnet activity? This is the best way to monitor this – by using the ‘alert’ option you can tell nfsen to sent you an e-mail when activity is shown to a certain IP address, range, network or so on.

For Vyatta users
This is the configuration you should use on a Vyatta router :
vyatta@router-1# show system flow-accounting
interface eth1
interface eth0
netflow {
server {
port 9996
version 5

  1. […] been using Netflow to monitor network traffic since beginning of this year and still i’m a big fan. Netflow allowes you to really dig in the actual network traffic that […]


Geef een reactie

%d bloggers liken dit: