Installing NFSEN & NFDUMP on Ubuntu and Next integrate with LibreNMS

 

librenms@librenms:~$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description:    Ubuntu 20.04.2 LTS

Release:        20.04

Codename:       focal

Project Link:

http://nfsen.sourceforge.net/

http://nfdump.sourceforge.net/

https://github.com/phaag/nfdump

https://www.first.org/resources/papers/conference2006/haag-peter-papers.pdf

sudo add-apt-repository universe   FOR OLD ubuntu versions 16,18

Installation

Use the sudo user

sudo -i

Update ubuntu:

apt-get update

apt autoremove

 

Create and navidate to a new folder:

mkdir ~/nfsen && cd ~/nfsen

 

or

 

mkdir /var/nfsen && cd /var/nfsen

 

Download the required files:

wget https://bit.ly/2NpMHqV     >>> NfSend

wget https://github.com/phaag/nfdump/archive/v1.6.17.tar.gz    >>>NfDump

Extract the files:

tar zxfv 2NpMHqV

tar xzfv v1.6.17.tar.gz

Install Dependencies

apt install make gcc flex rrdtool librrd-dev libpcap-dev php librrds-perl libsocket6-perl apache2 libapache2-mod-php libtool dh-autoreconf pkg-config libbz2-dev byacc doxygen graphviz librrdp-perl libmailtools-perl build-essential autoconf

 

you may use only >>> this is Important

apt-get install apache2 php libapache2-mod-php librrds-perl librrdp-perl librrd-dev libmailtools-perl build-essential autoconf rrdtool

Make sure the right version of PHP is being used:

a2enmod php7.4

Fix problem with displaying icons in nfsen:

Nano  /etc/apache2/mods-enabled/alias.conf

and comment out line: 'Alias /icons/ "/usr/share/apache2/icons/"

In the php.ini file, be sure to specify the correct time zone, for example:

nano /etc/php/7.4/apache2/php.ini

date.timezone = Asia/karachi

 

Prepare nfdump for compilation:

cd nfdump-1.6.17/

sh ./autogen.sh

./configure --enable-nsel --enable-nfprofile --enable-sflow --enable-readpcap --enable-nfpcapd --enable-nftrack --enable-jnat

Compile and install nfdump

make && make install

 

(it may be necessary to run /sbin/ldconfig or ldconfig as root after the installation)

 

Install nfsen dependencies:

cpan App::cpanminus

cpanm Mail::Header

cpanm Mail::Internet

 

Check the nfdump version:

nfdump -v

Configure nfsen:

cd ../nfsen-1.3.6p1  or   cd /nfsen-1.3.6p1/etc/

cp nfsen-dist.conf nfsen.conf

nano ./etc/nfsen.conf

you may changed the following (apach2 and nginx work by default from the www-data user):

>
# user and group of the web server process
# All netflow processing will be done with this user

$BASEDIR = "/var/nfsen";

$PREFIX  = '/usr/local/bin';

$USER    = "netflow";

$WWWUSER  = "www-data";
$WWWGROUP = "www-data";

# number of nfprofile processes to spawn during the profiling phase
# depends on how busy your system is and how many CPUs you have
# on very busy systems increase it to a higher value
#$PROFILERS = 2;

Add user used by nfsen:

useradd -M -s /bin/false -G www-data netflow

 

Create nfsen base directory:

mkdir – p /var/nfsen

 

Install nfsen:

./install.pl ./etc/nfsen.conf

 

If there is a version mismatch change this:

nano libexec/NfSenRRD.pm

Change from 1.5 t0 1.8

 

Point default Apache site to nfsen.php file:

nano /etc/apache2/sites-enabled/000-default.conf

DocumentRoot /var/www/nfsen

DirectoryIndex nfsen.php

ServerAdmin webmaster@localhost

        ServerName 192.168.88.163

        DocumentRoot /var/www/nfsen
        DirectoryIndex nfsen.php
)

 

change apache port 80 to any_port_number

 

nano /etc/apache2/apache2.conf

systemctl enable apache2

systemctl start apache2

Start nfsen service:

/var/nfsen/bin/nfsen start

 

Restart Apache:

systemctl apache2 restart

 

If you need to run nfsen on port 2055/udp, and it was taken by default by nfdump (by the nfcapd process), then stop it before running nfsen:

systemctl is-enabled nfdump

systemctl stop nfdump

netstat -anpl | grep 2055

kill -9 PID_NUMBER

netstat -anpl | grep nfcapd

Testing >>> on Mikrotik

nano /var/nfsen/etc/nfsen.conf
%sources = (
'
MikroTik_CCIE '    => { 'port' => '2055', 'col' => '#00ff00', 'type' => 'netflow' },
#    'upstream1'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
#    'peer1'        => { 'port' => '9996', 'IP' => '1
92.168.88.1' },
#    'peer2'        => { 'port' => '9996', 'IP' => '
0.0.0.0' },
);

 #OR

%sources = (
      'source1' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
      'source2' => { 'port' => '9996', 'col' => '#cc3333', 'type' => 'netflow' },
      'source3' => { 'port' => '9997', 'col' => '#99ff33', 'type' => 'netflow' },
  );

# OR

%sources = (
    'ccr1016'      => { 'port' => '9995', 'IP' => 'x.x.x.x', 'col' => '#0000ff', 'type' => 'netflow' },
    'apfloor1'     => { 'port' => '9995', 'IP' => 'x.x.x.x', 'col' => '#8B0000' },
    'apfloor2'     => { 'port' => '9995', 'IP' => 'x.x.x.x', 'col' => '#DC143C'},
    'apfloor3'     => { 'port' => '9995', 'IP' => 'x.x.x.x', 'col' => '#FF7F50'},
);
 

 

/etc/init.d/nfsen reconfig

Or

cd /var/nfsen/bin

./nfsen reconfig

./nfsen start

sudo /etc/init.d/nfsen reconfig

 

To make nfsen reboot proof:

ln -s /var/nfsen/bin/nfsen  /etc/init.d/nfsen

update-rc.d nfsen defaults 20

It remains to configure the web server or just create a symbolic link in the www directory (after that you can open nfsen in a browser, for example http://192.168.88.157/nfsen/nfsen.php):

               

ln -s /var/nfsen/www/ /var/www/html/nfsen

 

ln -s /var/www/nfsen/ /var/www/html/nfsen

 

Make sure that nfsen starts when the operating system starts:

systemctl enable nfsen

systemctl start nfsen

systemctl status nfsen

Browse to:

http://yourip:portnumber

Auto start at boot

  • Create /etc/systemd/system/nfsen.service:
    [Unit]
    Description=NfSen Service
    After=network.target
    
    [Service]
    Type=forking
    PIDFile=/var/nfsen/var/run/nfsend.pid
    ExecStart=/var/nfsen/bin/nfsen start
    ExecStop=/var/nfsen/bin/nfsen stop
    Restart=on-abort
    
    [Install]
    WantedBy=multi-user.target

 

Troubleshooting commands:

sudo netstat -tulpn

ls -l /var/nfsen/profiles-stat/live

timedatectl set-timezone Asia/karachi

chmod -R 777 /var/nfsen/var/run/nfsen.comm

chown -R www-data:www-data /var/nfsen

chown -R netflow:www-data /var/nfsen/profiles-data/live/

tcpdump port 2055 -e -n

ps auxwww | grep nfcapd
 UP-Next Video
 How to Install Nfsen & Nfdump porttracker plugin on ubuntu 
https://ipcorenetworks.blogspot.com/2022/02/installing-nfsen-nfdump-porttracker.html 
_________________
Cacti Free Networking Monitoring Tool:
Cacti Tutorial PlayList:https://www.youtube.com/playlist?list=PL2iPlJTsTrSRcLWPSRi--dF7rN4RyUzWb 
__________________________________
LibreNMS Free Networking Monitoring Tool:
LibreNMS Tutorials: https://www.youtube.com/playlist?list=PL2iPlJTsTrSRdSVlok674Bkou0zkrPbgb
__________________________________
CCNP ENCOR (350-401):
https://www.youtube.com/playlist?list=PL2iPlJTsTrSTpfE-r7M-NsHON3AcyFNSk
__________________________________
CCNP Enterprise Free Training:
https://www.youtube.com/playlist?list=PL2iPlJTsTrSTWw5DSSXG-kvbVmpAec06J
__________________________________
CCNP ENARSI (300-410):
https://www.youtube.com/playlist?list=PL2iPlJTsTrSQx_kwwr0ERU_Cmj_gsJ5Le 

Comments

  1. cpan App::cpanminus

    cpan*m* Mail::Header

    cpan*m* Mail::Internet

    ReplyDelete
  2. Hi,
    Many thanks for share!
    What about nginx webserver setup?

    ReplyDelete
  3. root@flujos7200:/var/nfsen/nfsen-1.3.6p1# /var/nfsen/bin/nfsen start
    Subroutine Lookup::pack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine Lookup::unpack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine Lookup::sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine AbuseWhois::pack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::pack_sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
    Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
    Subroutine AbuseWhois::sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
    Starting nfcapd:(7200cantv)[11908] (7200vnet)[11911]
    Starting nfsendSubroutine Lookup::pack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine Lookup::unpack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine Lookup::sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/Lookup.pm line 43.
    Subroutine AbuseWhois::pack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::sockaddr_in6 redefined at /usr/share/perl/5.30/Exporter.pm line 66.
    at /var/nfsen/libexec/AbuseWhois.pm line 42.
    Subroutine AbuseWhois::pack_sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
    Subroutine AbuseWhois::unpack_sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
    Subroutine AbuseWhois::sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.


    ReplyDelete
  4. Hi! thanks for sharing!!! it's very useful.

    i follow instructions of the video until 18min 35 sec, i got packets in my tcpdump, but no graphs are displayed. i care about adding the router in nfsen.conf with the right port number.

    %sources = (
    'ncs5500-core1' => { 'port' => '2055', 'IP' => '10.10.10.1', 'col' => '#0000ff', 'type' => 'netflow' },
    #

    root@Netflow:~# tcpdump port 2055 -e -n
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    13:12:10.811808 44:d3:ca:0e:df:cc > 86:2f:55:a9:55:7c, ethertype IPv4 (0x0800), length 202: 10.10.10.1.43947 > 172.16.2.111.2055: UDP, length 160
    13:12:11.811380 44:d3:ca:0e:df:cc > 86:2f:55:a9:55:7c, ethertype IPv4 (0x0800), length 1474: 10.10.10.1.43947 > 172.16.2.111.2055: UDP, length 1432
    13:12:11.811381 44:d3:ca:0e:df:cc > 86:2f:55:a9:55:7c, ethertype IPv4 (0x0800), length 1474: 10.10.10.1.43947 > 172.16.2.111.2055: UDP, length 1432
    13:12:11.811475 44:d3:ca:0e:df:cc > 86:2f:55:a9:55:7c, ethertype IPv4 (0x0800), length 1474: 10.10.10.1.43947 > 172.16.2.111.2055: UDP, length 1432
    13:12:11.811625 44:d3:ca:0e:df:cc > 86:2f:55:a9:55:7c, ethertype IPv4 (0x0800), length 14

    i can see that the file in profiles-stat/live doesn't grow up. could it be any permission problem? (i added the chmod and chown parameters). i can see too the the file in live dir is created by netflow user insted of the others (www-data)

    root@Netflow:~# ls -l /var/nfsen/profiles-stat/live
    total 2840
    -rw-r--r-- 1 www-data www-data 14431 Apr 30 12:35 flows-day.png
    -rw-r--r-- 1 www-data www-data 15287 Apr 30 12:35 flows-month.png
    -rw-r--r-- 1 www-data www-data 15942 Apr 30 12:35 flows-week.png
    -rw-r--r-- 1 www-data www-data 16765 Apr 30 12:35 flows-year.png
    -rw-r--r-- 1 netflow www-data 2687848 Apr 30 13:10 ncs5500-core1.rrd
    -rw-r--r-- 1 www-data www-data 15017 Apr 30 12:35 packets-day.png

    file ncs5500-core1.rrd remains with the same size.

    thanks!!!

    ReplyDelete

Post a Comment

Popular posts from this blog

IP Core Networks | Your Education, Your Choice

How to Install & Integrate Oxidized Into LibreNMS