[from wikipedia]
Netflow exporters : thiết bị tạo (xuất) netflow data. Thường là các thiết bị cần theo dõi - switches, routers, pc, laptop, v.v
- Netflow collectors: thiết bị nhận & lưu netflow data để quản lý. Data lưu dạng file/DB.
Thử nghiệm
- Exporter: Máy ubuntu 10.04 , cần theo dõi card etho0 , dùng fprobe tạo netflow data, IP 182.158.25.186
- Collector: dùng nfdump (nfcapd) để nhận netflow data, dùng nfsen để tạo GUI dùng cho theo dõi. Máy ubuntu 10.04 , IP 182.158.25.159 , mở port 5555 để nhận data về. Y
Cài đặt
1. Exporter.
$sudo apt-get install fprobe
$sudo nano /etc/default/fprobe
#fprobe default configuration file
INTERFACE = eth0
FLOW_COLLECTOR="localhost:9995"
FLOW_COLLECTOR="localhost:9995"
$sudo fprobe -i eth0 182.158.25.159:5555
$ps -A | grep fprobe
3091 ? 00:00:21 fprobe (nó chạy rồi)
2. Collector
#cài nfdump
$cd /tmp
$tar -zxvf nfdump-1.6.9.tar.gz
$cd nfdump-1.6.9
#cài thêm hàng
$sudo apt-get install flow-tools gcc flex byacc librrd-dev bison gcc-4.1 sendmail make
#complile với option hỗ trợ cho nfsen sau này
$sudo ./configure --enable-nfprofile
$sudo make
$sudo make install
#cài nfsen
$cd /tmp
$tar -zxvf nfsen-1.3.6p1.tar.gz
$cd nfsen-1.3.6p1
#cài thêm hàng cho nfsen chạy
$sudo apt-get install tasksel
$sudo tasksel install lamp-server
$sudo apt-get install libapache2-mod-php5 php5-common libmailtools-perl librrds-perl bison fping libsocket6-perl
# nhớ dùng auto-configuration option khi configure perl.
#chuẩn bị folder
$sudo mkdir -p /var/local/nfsen
$sudo mkdir -p /var/www/nfsen
$sudo chown -fR www-data:www-data /var/local/nfsen
$sudo chown -fR www-data:www-data /var/www/nfsen
$sudo cp etc/nfsen-dist.conf etc/nfsen.conf
$nano etc/nfsen.conf
# Modify following lines
$BASEDIR=”/var/local/nfsen”;
$HTMLDIR="/var/www/nfsen/";
$USER = ”www-data”
$WWWUSER = "www-data";
$WWWGROUP = "www-data";
%sources = (
'Source-5555' => { 'port' => '5555', 'col' => '#0000ff', 'type' => 'netflow' },
# thêm source như line trên nếu cần thêm
);
'Source-5555' => { 'port' => '5555', 'col' => '#0000ff', 'type' => 'netflow' },
# thêm source như line trên nếu cần thêm
);
$sudo ./install.pl etc/nfsen.conf
$sudo /var/local/bin/nfsen start
$ps -A | grep nfcapd
5008 ? 00:00:00 nfcapd # ẻm đã chạy
#coi thử có hàng về chưa trên port 5555 đã mở
$sudo tcpdump -i eth0 port 5555
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:47.506769 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:57:52.506250 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:57:57.505762 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:58:07.504843 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 216
14:58:07.509202 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 1464
14:58:12.504381 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 600
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:47.506769 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:57:52.506250 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:57:57.505762 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 120
14:58:07.504843 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 216
14:58:07.509202 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 1464
14:58:12.504381 IP ubuntu-2.local.60336 > ubuntu.local.rplay: UDP, length 600
- Giờ mở nfsen GUI lên: http://localhost/nfsen/nfsen.php
Kết quả
#Flow data lưu tại /var/local/nfsen/profiles-data/live/[source-name]/[year]/[month]/[captured date]
$ls -l profiles-data/live/Source-5555/2013/04/28/
total 376
-rw-r--r-- 1 www-data www-data 2184 2013-04-28 10:40 nfcapd.201304281035
-rw-r--r-- 1 www-data www-data 1428 2013-04-28 10:45 nfcapd.201304281040
-rw-r--r-- 1 www-data www-data 12847 2013-04-28 10:50 nfcapd.201304281045
-rw-r--r-- 1 www-data www-data 23980 2013-04-28 10:55 nfcapd.201304281050
-rw-r--r-- 1 www-data www-data 9422 2013-04-28 11:00 nfcapd.201304281055
-rw-r--r-- 1 www-data www-data 2601 2013-04-28 11:05 nfcapd.201304281100
-rw-r--r-- 1 www-data www-data 2267 2013-04-28 11:10 nfcapd.201304281105
-rw-r--r-- 1 www-data www-data 19925 2013-04-28 11:15 nfcapd.201304281110
-rw-r--r-- 1 www-data www-data 5899 2013-04-28 11:20 nfcapd.201304281115
-rw-r--r-- 1 www-data www-data 2184 2013-04-28 10:40 nfcapd.201304281035
-rw-r--r-- 1 www-data www-data 1428 2013-04-28 10:45 nfcapd.201304281040
-rw-r--r-- 1 www-data www-data 12847 2013-04-28 10:50 nfcapd.201304281045
-rw-r--r-- 1 www-data www-data 23980 2013-04-28 10:55 nfcapd.201304281050
-rw-r--r-- 1 www-data www-data 9422 2013-04-28 11:00 nfcapd.201304281055
-rw-r--r-- 1 www-data www-data 2601 2013-04-28 11:05 nfcapd.201304281100
-rw-r--r-- 1 www-data www-data 2267 2013-04-28 11:10 nfcapd.201304281105
-rw-r--r-- 1 www-data www-data 19925 2013-04-28 11:15 nfcapd.201304281110
-rw-r--r-- 1 www-data www-data 5899 2013-04-28 11:20 nfcapd.201304281115
Note: coi tên file, nfcapd cập nhật file mỗi 5ph.
#mở file bằng command.
$nfdump -r [captured file]
e.g:
ate first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2013-04-28 03:58:26.664 0.000 TCP 173.194.38.140:80 -> 182.158.25.186:40809 1 40 1
2013-04-28 03:58:26.664 0.000 TCP 173.194.38.139:80 -> 182.158.25.186:51222 1 40 1
2013-04-28 03:58:26.606 0.058 TCP 182.158.25.186:40809 -> 173.194.38.140:80 2 80 1
2013-04-28 03:58:26.606 0.058 TCP 182.158.25.186:51222 -> 173.194.38.139:80 2 80 1
2013-04-28 03:58:33.400 0.000 UDP 182.158.25.186:44872 -> 182.158.24.10:53 1 61 1
2013-04-28 03:58:31.642 6.311 TCP 72.21.91.9:80 -> 182.158.25.186:37985 5 690 1
2013-04-28 03:58:33.454 0.000 UDP 182.158.24.10:53 -> 182.158.25.186:44872 1 91 1
2013-04-28 03:58:31.642 6.334 TCP 72.21.91.9:80 -> 182.158.25.186:37984 5 690 1
2013-04-28 03:58:31.436 6.312 TCP 182.158.25.186:37985 -> 72.21.91.9:80 5 620 1
2013-04-28 03:58:31.436 6.335 TCP 182.158.25.186:37984 -> 72.21.91.9:80 5 620 1
2013-04-28 03:54:43.225 304.773 TCP 86.159.224.248:29051 -> 182.158.25.186:35130 7501 6.4 M 1
2013-04-28 03:58:46.662 0.000 TCP 173.194.38.138:80 -> 182.158.25.186:47643 1 40 1
2013-04-28 03:58:46.607 0.055 TCP 182.158.25.186:47643 -> 173.194.38.138:80 2 80 1
2013-04-28 03:54:43.225 304.773 TCP 182.158.25.186:35130 -> 86.159.224.248:29051 4899 269882 1
2013-04-28 03:58:51.441 0.232 TCP 182.158.25.186:40835 -> 173.194.38.140:80 31 1691 1
2013-04-28 03:58:51.498 0.175 TCP 173.194.38.140:80 -> 182.158.25.186:40835 33 43861 1
2013-04-28 03:58:53.400 0.000 UDP 182.158.25.186:38136 -> 182.158.24.10:53 1 63 1
2013-04-28 03:58:51.653 6.322 TCP 72.21.91.9:80 -> 182.158.25.186:37987 5 690 1
2013-04-28 03:58:39.036 14.003 Trnk1 53.138.3.0:35750 -> 0.0.0.3:38735 8 6144 1
2013-04-28 03:58:53.454 0.000 UDP 182.158.24.10:53 -> 182.158.25.186:38136 1 93 1
2013-04-28 03:58:26.664 0.000 TCP 173.194.38.140:80 -> 182.158.25.186:40809 1 40 1
2013-04-28 03:58:26.664 0.000 TCP 173.194.38.139:80 -> 182.158.25.186:51222 1 40 1
2013-04-28 03:58:26.606 0.058 TCP 182.158.25.186:40809 -> 173.194.38.140:80 2 80 1
2013-04-28 03:58:26.606 0.058 TCP 182.158.25.186:51222 -> 173.194.38.139:80 2 80 1
2013-04-28 03:58:33.400 0.000 UDP 182.158.25.186:44872 -> 182.158.24.10:53 1 61 1
2013-04-28 03:58:31.642 6.311 TCP 72.21.91.9:80 -> 182.158.25.186:37985 5 690 1
2013-04-28 03:58:33.454 0.000 UDP 182.158.24.10:53 -> 182.158.25.186:44872 1 91 1
2013-04-28 03:58:31.642 6.334 TCP 72.21.91.9:80 -> 182.158.25.186:37984 5 690 1
2013-04-28 03:58:31.436 6.312 TCP 182.158.25.186:37985 -> 72.21.91.9:80 5 620 1
2013-04-28 03:58:31.436 6.335 TCP 182.158.25.186:37984 -> 72.21.91.9:80 5 620 1
2013-04-28 03:54:43.225 304.773 TCP 86.159.224.248:29051 -> 182.158.25.186:35130 7501 6.4 M 1
2013-04-28 03:58:46.662 0.000 TCP 173.194.38.138:80 -> 182.158.25.186:47643 1 40 1
2013-04-28 03:58:46.607 0.055 TCP 182.158.25.186:47643 -> 173.194.38.138:80 2 80 1
2013-04-28 03:54:43.225 304.773 TCP 182.158.25.186:35130 -> 86.159.224.248:29051 4899 269882 1
2013-04-28 03:58:51.441 0.232 TCP 182.158.25.186:40835 -> 173.194.38.140:80 31 1691 1
2013-04-28 03:58:51.498 0.175 TCP 173.194.38.140:80 -> 182.158.25.186:40835 33 43861 1
2013-04-28 03:58:53.400 0.000 UDP 182.158.25.186:38136 -> 182.158.24.10:53 1 63 1
2013-04-28 03:58:51.653 6.322 TCP 72.21.91.9:80 -> 182.158.25.186:37987 5 690 1
2013-04-28 03:58:39.036 14.003 Trnk1 53.138.3.0:35750 -> 0.0.0.3:38735 8 6144 1
2013-04-28 03:58:53.454 0.000 UDP 182.158.24.10:53 -> 182.158.25.186:38136 1 93 1
Xong xuôi. Merci đã theo dõi
No comments:
Post a Comment