netflow on Ubuntu 8.04

To generate and collect netflow data on your Ubuntu 8.04 box, I had to install a couple of packages:

sudo apt-get install fprobe
sudo apt-get install nfdump

fprobe is the daemon that will listen to the traffic and generate a netflow stream to a collector. The nfdump package includes nfcapd, which listens to the netflow stream and generates the flow files on your disk or wherever.

On Ubuntu 8.04 x86-64, fprobe installed an /etc/default file and an /etc/init.d/fprobe file. However, with a quick customization of the files, I found that my changes were ignored and fprobe did not actually run. For now I just ran it manually as root:

fprobe -p -i eth1 -fip localhost:555

The -p flag tells it not to bother putting the interface in promiscuous mode. I did that because I had already put the interface into promiscuous mode manually, after seeing that in /var/log/messages eth0 had been put into promiscuous mode, even though it had no ip address, and was not being used.

The -i flag tells it which interface to get traffic from.

The -f flag tells fprobe to get ip traffic, and is currently required to get any traffic collected at all.

Finally the hostname and port to send the netflow stream to be collected are the last arguments. With that, I had flows being exported!

Next I needed to collect the flows. I was able to edit the /etc/init.d/nfdump file to customize nfdump to work with my machine. You can get it at marmot. The main ingredients are the arguments you feed to nfcapd, here are mine:
DAEMON_ARGS="-D -p 555 -4 -l /home/lincolnr/incoming/nfcap/"

That tells nfcapd to run as a daemon, listen on port 555 for netflow data, use IPv4, and use /home/lincolnr/incoming/nfcap as the storage area for the flow files. This might not be a good production setup, as there is no filtering of where the netflow data comes from. So any netflow stream that is received will get processed, and maybe somebody could do something bad with that somehow...

Then I restarted it with sudo /etc/init.d/nfdump restart.

So running ls -al /home/lincolnr/incoming/nfcap, I started getting some non-empty flow files :)
drwxr-xr-x 21 lincolnr root 16384 2010-06-08 09:26 ..
-rw-r--r-- 1 root root 276 2010-06-08 09:37 nfcapd.201006080932
-rw-r--r-- 1 root root 276 2010-06-08 09:43 nfcapd.201006080937
-rw-r--r-- 1 root root 276 2010-06-08 09:48 nfcapd.201006080942
-rw-r--r-- 1 root root 1120 2010-06-08 09:56 nfcapd.201006080951
-rw-r--r-- 1 root root 756 2010-06-08 10:01 nfcapd.201006080956
-rw-r--r-- 1 root root 1900 2010-06-08 10:06 nfcapd.201006081001
-rw-r--r-- 1 root root 1484 2010-06-08 10:11 nfcapd.201006081006

Yay! Notice that root owns the files and they are world readable. I don't really like that part but it's fine for what I'm trying to do now. Using nfdump, then I can get reports on the traffic:
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2010-06-08 10:20:10.788 0.000 IGMP 192.168.2.1:0 -> 239.255.255.250:0 1 32 1
2010-06-08 10:20:11.497 0.000 IGMP 192.168.2.2:0 -> 224.0.0.251:0 1 32 1
2010-06-08 10:21:14.270 0.000 TCP 208.94.232.254:80 -> 192.168.2.2:54213 1 52 1
2010-06-08 10:21:14.270 0.000 TCP 192.168.2.2:54213 -> 208.94.232.254:80 1 52 1
2010-06-08 10:17:16.609 310.298 TCP 199.18.249.12:59457 -> 192.168.2.2:22 45 2548 1
2010-06-08 10:17:16.568 310.303 TCP 192.168.2.2:22 -> 199.18.249.12:59457 63 58444 1
2010-06-08 10:17:49.883 244.052 UDP 192.168.2.1:1900 -> 239.255.255.250:1900 85 29625 1
2010-06-08 10:22:09.351 0.000 IGMP 192.168.2.1:0 -> 224.0.0.1:0 1 28 1
2010-06-08 10:22:09.804 0.000 IGMP 192.168.2.2:0 -> 224.0.0.251:0 1 32 1
2010-06-08 10:22:17.191 0.000 IGMP 192.168.2.1:0 -> 239.255.255.250:0 1 32 1
2010-06-08 10:22:19.042 0.000 IGMP 192.168.2.1:0 -> 224.0.0.2:0 1 32 1
2010-06-08 10:22:46.366 0.000 UDP 192.168.2.2:138 -> 192.168.2.255:138 2 493 1
2010-06-08 10:23:14.321 0.000 TCP 208.94.232.254:80 -> 192.168.2.2:54213 1 52 1
2010-06-08 10:23:14.321 0.000 TCP 192.168.2.2:54213 -> 208.94.232.254:80 1 52 1
2010-06-08 10:24:15.953 0.000 IGMP 192.168.2.1:0 -> 239.255.255.250:0 1 32 1
2010-06-08 10:24:14.373 0.000 IGMP 192.168.2.1:0 -> 224.0.0.1:0 1 28 1
2010-06-08 10:24:21.405 0.000 IGMP 192.168.2.1:0 -> 224.0.0.2:0 1 32 1
2010-06-08 10:24:19.438 0.000 IGMP 192.168.2.2:0 -> 224.0.0.251:0 1 32 1
Summary: total flows: 18, total bytes: 91630, total packets: 209, avg bps: 1725, avg pps: 0, avg bpp: 438
Time window: 2010-06-08 10:17:16 - 2010-06-08 10:24:21
Total flows processed: 18, skipped: 0, Bytes read: 948
Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 23076.9

Yay! We can generate netflow data from traffic on our Linux box, and also capture it. I will start another post to explain more about what this is, and why I'm doing it. Hope this helps someone, yes it does work if you trick into working :)