-
Notifications
You must be signed in to change notification settings - Fork 8
/
README
executable file
·423 lines (334 loc) · 15.5 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
Inofficial fork of nfdump with libnfread based on:
Stable Release v1.6.10
See the Changelog file for all changes in release 1.6.10
Notes on libnfread
------------------
This is an inofficial fork of nfdump containing libnfread, a library
designed to read netflow records from nfdump files using the codebase
of nfdump. We make this library public in order to allow others to
use it as long as nfdump does not contain an official library interface.
The library is build and installed along with the binaries.
Documentation can be found in the installed nfread/nfread.h header file.
Example code using the library is included under extra/libnfread-example.
Notes on NSEL/ASA support
-------------------------
nfdump-1.6.9 includes a new written from scratch implemented NSEL/ASA
module. It's based on the CISCO ASA Spec 8.4:
"Implementation Note for NetFlow Collectors, Version 8.4"
Due to this new implementation, nfdump-1.6.9 is not compatible with old
nfdump-1.5.8-2-NSEL.
To build nfdump, add --enable-nsel to the configure command. By enabling
the ASA/NSEL option, nfdump processes normal flows as well ASA/NSEL records
likewise. nfcapd adds by default all required NSEL extesions equivalent
to '-Tnsel'
Note on NEL support
-------------------
nfdump-1.6.9 includes a new module for decoding the CISCO NEL ( NAT event
logging ) records. It's considered to be experimantal, as no official
documentation can be found. Let me know otherwise.
To build nfdump, add --enable-nel to the configure command. By enabling
the NEL option, nfdump processes normal flows as well NEL records
likewise. nfcapd adds by default all required NEL extesions equivalent
to '-Tnel'
Although it's possibel to enable NSEL und NEL likewise, users could get
confused by nfdump output, as NSEL output format overwrites NEL format.
In that case you need explicitly to define -o nel.
Notes on IPFIX
---------------
nfdump contains an IPFIX module for decoding IPFIX data. It
is considered not yet to be complete and does not yet support full IPFIX.
o Supports basically same feature set of elements as netflow_v9 module
o Only UDP traffic is accepted no SCTP so far
o No sampling support.
o Still more test data needed. If you would like to see more IPFIX
support, please contact me.
General README
--------------
This is a small description, what the nfdump tools do and how they work.
Nfdump is distributed under the BSD license - see BSD-license.txt
The nfdump tools collect and process netflow data on the command line.
They are part of the NFSEN project, which is explained more detailed at
http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-Haag.pdf
The Web interface mentioned is not part of nfdump and is available at
http://nfsen.sourceforge.net
nfdump tools overview:
----------------------
nfcapd - netflow collector daemon.
Reads the netflow data from the network and stores the flow records
into files. Automatically rotates files every n minutes. ( typically
every 5 min ) nfcapd reads netflow versions v1, v5, v7 and v9 flows
as well as IPFIX flows transparently. Several netflow streams can be
sent to a single or collector.
nfdump - netflow dump.
Reads the netflow data from the files stored by nfcapd. It's filter
syntax is similar to tcpdump ( pcap like ) but for netflow adapted.
If you like tcpdump you will like nfdump. nfdump displays netflow
data and/or creates top N statistics of flows, bytes, packets. nfdump
has a powerful and flexible flow aggregation including bi-directional
flows. The output format is user selectable and also includes a simple
csv format for post processing.
nfreplay - netflow replay
Reads the netflow data from the files stored by nfcapd and sends it
over the network to another host.
nfexpire - expire old netflow data
Manages data expiration. Sets appropriate limits.
Optional binaries:
nfprofile - netflow profiler. Required by NfSen
Reads the netflow data from the files stored by nfcapd. Filters the
netflow data according to the specified filter sets ( profiles ) and
stores the filtered data into files for later use.
nftrack - Port tracking decoder for NfSen plugin PortTracker.
ft2nfdump - read flow-tools format - Optional tool
ft2nfdump acts as a pipe converter for flow-tools data. It allows
to read any flow-tools data and process and save it in nfdump format.
sfcapd - sflow collector daemon
scfapd collects sflow data and stores it into nfcapd comaptible files.
"sfcapd includes sFlow(TM), freely available from http://www.inmon.com/".
nfreader - Framework for programmers
nfreader is a framework to read nfdump files for any other purpose.
Own C code can be added to process flows. nfreader is not installed
parse_csv.pl - Simple reader, written in Perl.
parse_csv.pl reads nfdump csv output and print the flows to stdout.
This program is intended to be a framework for post processing flows
for any other purpose.
Note for sflow users:
sfcapd and nfcapd can be used concurrently to collect netflow and sflow
data at the same time. Generic command line options apply to both
collectors likewise. Due to lack of availability of sflow devices,
I could not test the correct output of IPv6 records. Users are requested
to send feedback to the list or directly to me. sfcapd's sflow decoding
module is based on InMon's sflowtool code and supports similar fields as
nfcapd does for netflow v9, which is a subset of all available sflow
fields in an sflow record. More fields may be integrated in future
versions of sfcapd.
Compression
-----------
Binary data files can optionally be compressed using the fast LZO1X-1
compression. For more details on this algorithm see,
http://www.oberhumer.com/opensource/lzo. LZO1X-1 is very fast, so
that compression can be used in real time by the collector. LZO1X-1
reduces the file size around 50%. You can check the compression speed
for your system by doing ./nftest <path/to/an/existing/netflow/file>.
Principle of Operation:
-----------------------
The goal of the design is to able to analyze netflow data from
the past as well as to track interesting traffic patterns
continuously. The amount of time back in the past is limited only
by the disk storage available for all the netflow data. The tools
are optimized for speed for efficient filtering. The filter rules
should look familiar to the syntax of tcpdump ( pcap compatible ).
All data is stored to disk, before it gets analyzed. This separates
the process of storing and analyzing the data.
The data is organized in a time-based fashion. Every n minutes
- typically 5 min - nfcapd rotates and renames the output file
with the timestamp nfcapd.YYYYMMddhhmm of the interval e.g.
nfcapd.200907110845 contains data from July 11th 2009 08:45 onward.
Based on a 5min time interval, this results in 288 files per day.
Analyzing the data can be done for a single file, or by concatenating
several files for a single output. The output is either ASCII text
or binary data, when saved into a file, ready to be processed again
with the same tools.
You may have several netflow sources - let's say 'router1' 'router2'
and so on. The data is organized as follows:
/flow_base_dir/router1
/flow_base_dir/router2
which means router1 and router2 are subdirs of the flow_base_dir.
Although several flow sources can be sent to a single collector,
It's recommended to have multiple collector on busy networks for
each source.
Example: Start two collectors on different ports:
nfcapd -w -D -S 2 -B 1024000 -l /flow_base_dir/router1 -p 23456
nfcapd -w -D -S 2 -B 1024000 -l /flow_base_dir/router2 -p 23457
nfcapd can handle multiple flow sources.
All sources can go into a single file or can be split:
All into the same file:
nfcapd -w -D -S 2 -l /flow_base_dir/routers -p 23456
Collected on one port and split per source:
nfcapd -w -D -S 2 -n router1,172.16.17.18,/flow_base_dir/router1 \
-n router2,172.16.17.20,/flow_base_dir/router2 -p 23456
See nfcapd(1) for a detailed explanation of all options.
Security: none of the tools requires root privileges, unless you have
a port < 1024. However, there is no access control mechanism in nfcapd.
It is assumed, that host level security is in place to filter the
proper IP addresses.
See the manual pages or use the -h switch for details on using each of
the programs. For any questions send email to [email protected]
Configure your router to export netflow. See the relevant documentation
for your model.
A generic Cisco sample configuration enabling NetFlow on an interface:
ip address 192.168.92.162 255.255.255.224
interface fastethernet 0/0
ip route-cache flow
To tell the router where to send the NetFlow data, enter the following
global configuration command:
ip flow-export 192.168.92.218 9995
ip flow-export version 5
ip flow-cache timeout active 5
This breaks up long-lived flows into 5-minute segments. You can choose
any number of minutes between 1 and 60;
Netflow v9 full export example of a cisco 7200 with sampling enabled:
interface Ethernet1/0
ip address 192.168.92.162 255.255.255.224
duplex half
flow-sampler my-map
!
!
flow-sampler-map my-map
mode random one-out-of 5
!
ip flow-cache timeout inactive 60
ip flow-cache timeout active 1
ip flow-capture fragment-offset
ip flow-capture packet-length
ip flow-capture ttl
ip flow-capture vlan-id
ip flow-capture icmp
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-export version 9
ip flow-export template options export-stats
ip flow-export template options sampler
ip flow-export template options timeout-rate 1
ip flow-export template timeout-rate 1
ip flow-export destination 192.168.92.218 9995
See the relevant documentation for a full description of netflow commands
Note: Netflow version v5 and v7 have 32 bit counter values. The number of
packets or bytes may overflow this value, within the flow-cache timeout
on very busy routers. To prevent overflow, you may consider to reduce the
flow-cache timeout to lower values. All nfdump tools use 64 bit counters
internally, which means, all aggregated values are correctly reported.
The binary format of the data files is netflow version independent.
For speed reasons the binary format is machine architecture dependent, and
as such can not be exchanged between little and big endian systems.
Internally nfdump does all processing IP protocol independent, which means
everything works for IPv4 as well as IPv6 addresses.
See the nfdump(1) man page for details.
netflow version 9:
nfcapd supports a large range of netflow v9 tags. Version 1.6 nfdump
supports the following fields. This list can be found in netflow_v9.h
// Flowset record types
#define NF9_IN_BYTES 1
#define NF9_IN_PACKETS 2
#define NF9_FLOWS_AGGR 3
#define NF9_IN_PROTOCOL 4
#define NF9_SRC_TOS 5
#define NF9_TCP_FLAGS 6
#define NF9_L4_SRC_PORT 7
#define NF9_IPV4_SRC_ADDR 8
#define NF9_SRC_MASK 9
#define NF9_INPUT_SNMP 10
#define NF9_L4_DST_PORT 11
#define NF9_IPV4_DST_ADDR 12
#define NF9_DST_MASK 13
#define NF9_OUTPUT_SNMP 14
#define NF9_V4_NEXT_HOP 15
#define NF9_SRC_AS 16
#define NF9_DST_AS 17
#define NF9_BGP_V4_NEXT_HOP 18
#define NF9_LAST_SWITCHED 21
#define NF9_FIRST_SWITCHED 22
#define NF9_OUT_BYTES 23
#define NF9_OUT_PKTS 24
#define NF9_IPV6_SRC_ADDR 27
#define NF9_IPV6_DST_ADDR 28
#define NF9_IPV6_SRC_MASK 29
#define NF9_IPV6_DST_MASK 30
#define NF9_IPV6_FLOW_LABEL 31
#define NF9_ICMP_TYPE 32
#define NF9_SAMPLING_INTERVAL 34
#define NF9_SAMPLING_ALGORITHM 35
#define NF9_ENGINE_TYPE 38
#define NF9_ENGINE_ID 39
#define NF9_FLOW_SAMPLER_ID 48
#define FLOW_SAMPLER_MODE 49
#define NF9_FLOW_SAMPLER_RANDOM_INTERVAL 50
// #define NF9_MIN_TTL 52
// #define NF9_MAX_TTL 53
// #define NF9_IPV4_IDENT 54
#define NF9_DST_TOS 55
#define NF9_IN_SRC_MAC 56
#define NF9_OUT_DST_MAC 57
#define NF9_SRC_VLAN 58
#define NF9_DST_VLAN 59
#define NF9_DIRECTION 61
#define NF9_V6_NEXT_HOP 62
#define NF9_BPG_V6_NEXT_HOP 63
// #define NF9_V6_OPTION_HEADERS 64
#define NF9_MPLS_LABEL_1 70
#define NF9_MPLS_LABEL_2 71
#define NF9_MPLS_LABEL_3 72
#define NF9_MPLS_LABEL_4 73
#define NF9_MPLS_LABEL_5 74
#define NF9_MPLS_LABEL_6 75
#define NF9_MPLS_LABEL_7 76
#define NF9_MPLS_LABEL_8 77
#define NF9_MPLS_LABEL_9 78
#define NF9_MPLS_LABEL_10 79
#define NF9_IN_DST_MAC 80
#define NF9_OUT_SRC_MAC 81
#define NF9_FORWARDING_STATUS 89
#define NF9_BGP_ADJ_NEXT_AS 128
#define NF9_BGP_ADJ_PREV_AS 129
// CISCO ASA NSEL extension - Network Security Event Logging
#define NF_F_FLOW_BYTES 85
#define NF_F_CONN_ID 148
#define NF_F_FLOW_CREATE_TIME_MSEC 152
#define NF_F_ICMP_TYPE 176
#define NF_F_ICMP_CODE 177
#define NF_F_ICMP_TYPE_IPV6 178
#define NF_F_ICMP_CODE_IPV6 179
#define NF_F_FWD_FLOW_DELTA_BYTES 231
#define NF_F_REV_FLOW_DELTA_BYTES 232
#define NF_F_FW_EVENT84 233
#define NF_F_EVENT_TIME_MSEC 323
#define NF_F_INGRESS_ACL_ID 33000
#define NF_F_EGRESS_ACL_ID 33001
#define NF_F_FW_EXT_EVENT 33002
#define NF_F_USERNAME 40000
#define NF_F_XLATE_SRC_ADDR_IPV4 40001
#define NF_F_XLATE_DST_ADDR_IPV4 40002
#define NF_F_XLATE_SRC_PORT 40003
#define NF_F_XLATE_DST_PORT 40004
#define NF_F_FW_EVENT 40005
// Cisco ASR 1000 series NEL extension - Nat Event Logging
#define NF_N_NAT_EVENT 230
#define NF_N_INGRESS_VRFID 234
#define NF_N_NAT_INSIDE_GLOBAL_IPV4 225
#define NF_N_NAT_OUTSIDE_GLOBAL_IPV4 226
#define NF_N_POST_NAPT_SRC_PORT 227
#define NF_N_POST_NAPT_DST_PORT 228
// nprobe latency extensions
#define NF9_NPROBE_CLIENT_NW_DELAY_SEC 57554
#define NF9_NPROBE_CLIENT_NW_DELAY_USEC 57555
#define NF9_NPROBE_SERVER_NW_DELAY_SEC 57556
#define NF9_NPROBE_SERVER_NW_DELAY_USEC 57557
#define NF9_NPROBE_APPL_LATENCY_SEC 57558
#define NF9_NPROBE_APPL_LATENCY_USEC 57559
32 and 64 bit counters are supported for any counters. However, internally
nfdump stores packets and bytes counters always as 64bit counters.
16 and 32 bit AS numbers are supported.
Extensions: nfcapd supports a large number of v9 tags. In order to optimise
disk space and performance, v9 tags are grouped into a number of extensions
which may or may not be stored into the data file. Therefore the v9 templates
configured on the exporter may be tuned with the collector. Only the tags
common to both are stored into the data files. Extensions can be switch
on/off by using the -T option.
Sampling: By default, the sampling rate is set to 1 (unsampled) or to
any given value specified by the -s cmd line option. If sampling information
is found in the netflow stream, it overwrites the default value. Sampling
is automatically recognised when announced in v9 option templates
(tags #48, #49, #50 ) or in the unofficial v5 header hack. Note: Not all
platforms (or IOS versions) support exporting sampling information in
netflow data, even if sampling is configured. The number of bytes/packets
in each netflow record is automatically multiplied by the sampling rate.
The total number of flows is not changed as this is not accurate enough.
(Small flows versus large flows)
nfcapd can listen on IPv6 or IPv4. Furthermore multicast is supported.
Flow-tools compatibility
------------------------
When building with configure option --enable-ftconv, the flow-tools converter
is compiled. Using this converter, any flow-tools created data can be read
and processed and stored by nfdump.
Example:
flow-cat [options] | ft2nfdump | nfdump [options]
See the INSTALL file for installation details.