In the previous session we saw how to configure netflow on our campus router and how to export flow records to the collector. Now let's have a look at the collector. We're going to start off by looking at something called Nfdump. Nf-dump has two components. It's got the netflow capture daemon nfcapd and it's got nfdump command line tool to take these exported flows and make them human readable. The slide shows the architecture. We've got the router exporting flow records. nfcapd is the daemon that captures these and writes them to flat files and then we've got nf-dump which is the command line that displays these captured flow records. nfdump is free and open source. It runs on the collector itself. nfcapd listens for incoming flow records and writes them to disk and typically it will start a new file every 5 minutes. And nfdump reads the files and turns them into human readable output. nfdump has command line options to filter and aggregate the flows. For analyzing the flows we use something called nfSen or netflow sensor. It's a companion of nfdump. nfSen is basically a web graphical user interface making easier for the network administrator to see what's going on with the flows in the network. It creates round-robin database graphs of traffic totals. It will let you zoom in to a time of interest and do netflow dump analysis on that era. nfSen will also manage nfcapd instances for you so you can run multiple nfcapd instances for listening to flows from multiple routers. For example, you may capture flows from your campus core router and your border router. If you have a redundant core and redundant border you probably have two border routers and two core routers you're going to capture flows from. nfSen has plug-ins available for it like the popular port tracker as well as surfmap and many others contributed by the community. The slide shows the nfSen architecture. We have the router exporting flow records. nfSen manages nfcapd which produces the flat files. nfSen will take these flat files and categorize them according to whether it's TCP or UDP or ICMP or other and then it can produce graphs or combine all of these graphs as an overall view of the traffic flow in the network. There's some points to note about nfSen. Every five minutes nfcapd starts a new file and nfSen processes the previous one. So what you see in the nfSen graph is what happened up to five minutes ago. Each graph point covers five minutes. The graph shows you the total of selected traffic in that five minute period. To get more detailed information on individual flows in that period the GUI lets you drill down using nfdump. nfSen has also got a concept of profiles and channels. A channel identifies a type of traffic to graph and a profile is a collection of channels which can be shown together. You can create your own profiles and channels and hence graphs. for example, you might want to produce one of HTTP traffic, another of HTTPS, another one of SMTP and so on. Or you could monitor traffic to and from the science department for example. And you can then use filters to define the traffic of interest in the network. The slide shows an example of how you might set up profiles and channels. We've set up a profile here with five different channels: one channel of HTTP, another one of HTTPS, another one with SMTP, another one of POP3 and another one with IMAP. And we've gathered all these together to produce a graph with different colors showing the traffic levels of each particular channel.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.