[HOWTO] Netflow

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

Loceur
Posts: 2
Joined: Thu Mar 09, 2006 9:38 am

[HOWTO] Netflow

Post by Loceur »

Ok, so here's my first post, but it seems like a needed one.

Things needed:

flow-tools
flowscan
CUFlow
cacti (I'm using 0.8.6h)


I'm using debian, so I was able to apt-get everything. Please note, though, that you need the testing version of flowscan to be able to use flow-tools.

So here's how it works:

Code: Select all

Netflow from router -> flow-capture -> flowscan -> rrds -> cacti 
                                 CUFlow -^
Netflow from Router:

On Cisco -

Code: Select all

ip cef
! Do THIS ON EACH INTERFACE
interface e0/0 
  ip route-cache flow
  no ip mroute-cache
! 
ip flow-export version 5 peer-as bgp-nexthop
ip flow-export destination 1.2.3.4 9999
! where 1.2.3.4 is your flow colector's IP and 9999 is the port you'll choose
Easy enough...

flow-capture:

apt-get install flow-capture #I love good package management
vi /etc/flow-tools/flow-capture.conf

Add the following:

-z0 -V5 -n 288 -N0 -w /home/flows -E2G 0/0/9801

Feel free to man flow-capture for details. You should change these details to suite your needs. Of main interest is the last number, "9801", this is the port that needs to correspond with your previous entry into your cisco router. -z0 -V5 -N0 is important to have to work correctly with flowscan. -n 288 means to make a file capture every 5 minutes. -w is your save directory.

flowscan:

Pick your favorite method and install flowscan (note: needs to support flow-tools, not just cflowd, which ARE different)
apt-get install -t testing flowscan #good_package_management++

edit /etc/flowscan/flowscan.cf (or wherever your flowscan.cf is)

Change the defaults to:

Code: Select all

FlowFileGlob /home/flows/ft-v05.* 
ReportClasses CUFlow
WaitSeconds 30 # change  to 300 if you use a SLOW machine or you're processor paranoid
Verbose 1 # you can change this later when it works for sure
Flowscan didn't come with an init script, so I made one.

Code: Select all

#!/bin/sh
#Description: Start/stop Flowscan

case "$1" in
'start')
/usr/bin/flowscan >> /var/log/flowscan 2>&1 </dev/null & >/dev/null
;;
'stop')
killall -9 flowscan
;;
*)
echo "Usage: $0 {start | stop }"
;;
esac
exit 0
Then, don't forget to add it to your startup scripts.


Optional:
Next, I wanted to keep 95th percentile marks ACCURATE for up to 2 months, so I had to change flowscan's way of making default rrds.

You don't have to do this if you don't care about accurate 95th percentile marks.

Edit your FlowScan.pm

Find the following and change the values to:

RRA:AVERAGE:.5:1:17280
RRA:AVERAGE:.5:6:1536
RRA:AVERAGE:.5:24:2268
RRA:AVERAGE:.5:288:1890
RRA:MAX:.5:24:2268
RRA:MAX:.5:288:1890

This SHOULD keep up to 60 days worth of non-compressed data before it starts to compress it down. Feel free to tell me if I'm wrong about this.


CUFlow:

Install cuflow perl module:
apt-get install -t testing flowscan-cuflow

edit /etc/flowscan/CUFlow.cf
Actually, go man CUFlow on google, as you'll need to customize this, however, I'll give an example:

Code: Select all

Subnet 1.2.3.0/24 #my internal networks
Network 1.2.3.128/25 customera # Customer A
Network 1.2.3.0/25 customerb #Customer B 
OutputDir /home/flows/rrds
Comment out the rest of the crap, unless you want a dozen graphs that do a dozen things. This config is where you make different graphs based on IP assignment. Very useful in an ISP environment.



Now, if all goes well, you should be making rrds in /home/flows/rrds

Also, if you want to save your raw flow files, create a directory called "saved" in your /home/flows directory, as flowscan deletes the processed flows if it doesn't find a ./saved directory.


rrds -> cacti:

Feel free to search for your favorite process to do this. There are lots of tutorials on HOW to do this already. I will, however, link my personal favorite.

http://forums.cacti.net/viewtopic.php?t=12202


Also, I just use duplicated the Traffic - (bits/sec, w/ 95th percentile) graph template for the netflows and it looks great!
Attachments
A thing of beauty...
A thing of beauty...
netflow-example.JPG (69.58 KiB) Viewed 138886 times
Loceur
Posts: 2
Joined: Thu Mar 09, 2006 9:38 am

Post by Loceur »

Hmm, maybe this should be in the HOWTO section. oops! :o
User avatar
Howie
Cacti Guru User
Posts: 5508
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Post by Howie »

It's worth mentioning that there are a couple of Unix tools to produce netflow data too (by sniffing a mirrored switch port, for example), if you don't have support for netflow in your routers.

On FreeBSD, check out ng_netflow, and also fprobe on Linux.

I've been using ng_netflow and nfsen for some time to monitor our transit usage better, but I hadn't thought about Cacti integration - that looks cool!
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
warenet
Cacti User
Posts: 53
Joined: Mon Feb 10, 2003 12:00 pm
Location: Southern / CA
Contact:

Post by warenet »

I'm a bit confused on the editing of the RRD metadata.

I've edited the default cacti RRA settings and basically set the monthly one to have "5 minutes" worth of data by changing the "Rows" to 8928.

I guess I'm confused about the relation between rows and timespan, but I'd think you'd have to change the timespan for the daily RRA?

My monthly RRA (that I thought had 5 minute averages) is:

X-files: 0.5
Steps: 1
Rows: 8928
Timespan: 2678400

Is this wrong?

TIA
phiz
Posts: 2
Joined: Tue Apr 04, 2006 1:25 am
Location: Phoenix
Contact:

Netflow Template

Post by phiz »

Good HOWTO. Thanks for the info. I'm using the

Code: Select all

Netflow from router -> flow-capture -> flowscan -> rrds -> cacti
                                 CUFlow -^
setup and it works great. If anyone has any questions with this setup, feel free to e-mail me.

Do you have any more information about duplicating the Traffic - (bits/sec, w/ 95th percentile) graph template for the netflows? I'm having trouble with the process. I have duplicated the graph template, but I can't seem to figure out where to go from there.

Thanks again for the great HOWTO.

C
Quis custodiet ipsos custodes?
User avatar
chercen
Posts: 41
Joined: Sun Apr 09, 2006 4:16 pm
Location: Spain

Post by chercen »

Nice howto...

However I think using ntop plugin for cacti offers much more information and is pretty easy to setup (enabling netflow add-on). Of course, it always depends on how much information you require :)

Regards,
qwertz
Cacti User
Posts: 98
Joined: Thu Feb 16, 2006 9:20 am

Post by qwertz »

Hello,

i tried the Howto in the follonwing link:
http://www.prolixium.com/sitenews.php?id=482
It looks like this tutorial but when i start flowscan, i have the following thing:

flowscan
2006/06/04 12:07:29 working on file /var/lib/netflow/ft/ft-v05.2006-06-04.120501+0200...
/var/lib/netflow/ft/ft-v05.2006-06-04.120501+0200: Invalid index in cflowd flow file: 0xCF100103! Version 5 flow-export is required with *all* fields being saved.2006/06/04 12:07:29 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) for 1980 flow file bytes, flow hit ratio: 0/0
2006/06/04 12:07:29 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU)
sleep 30...

When i try a rrdtool info on a rrd file just created, there is UNKN values inside.

rrdtool info total.rrd
filename = "total.rrd"
rrd_version = "0003"
step = 300
last_update = 1149416933
ds[in_bytes].type = "ABSOLUTE"
ds[in_bytes].minimal_heartbeat = 400
ds[in_bytes].min = NaN
ds[in_bytes].max = NaN
ds[in_bytes].last_ds = "UNKN"
ds[in_bytes].value = 0.0000000000e+00
ds[in_bytes].unknown_sec = 0
etc ...

Regards
QWertz
qwertz
Cacti User
Posts: 98
Joined: Thu Feb 16, 2006 9:20 am

Post by qwertz »

hello:
here
http://www.onlamp.com/pub/a/bsd/2005/09 ... tml?page=3
I read
If FlowScan complains about an "Invalid index in cflowd flow file," you probably didn't install the newest Flowscan.pm module. This is perhaps the most common error people make with FlowScan. If you have this problem, go get the appropriate version of the module as described earlier.

So what?
what do i have to download or check?
Thanks
Qwertz
tinycamp
Posts: 1
Joined: Thu Jul 27, 2006 11:28 pm

no monthly graphs!!!

Post by tinycamp »

it worked just fine for 20 days, now i dont have monthly graphs!!!!

heeeeeelp!
qwertz
Cacti User
Posts: 98
Joined: Thu Feb 16, 2006 9:20 am

Post by qwertz »

Nice, i am very happy for you.

Which tutorial did you use?

On my side i had nothing in my rrdfile with ubuntu or Debian

Thanks

qwertz
Skept
Posts: 12
Joined: Sun Jul 03, 2005 1:30 pm

Post by Skept »

Qwertz,

this error in flowscan logs means that CFlow is not compiled with flowtools support
Invalid index in cflowd flow file: 0xCF100103! Version 5 flow-export is required with *all* fields being saved.

to enable cflow support, ensure that you compile cflow from within flow-tools directory, right after you compile flow-tools. you will also see the -OSU flag during the compile process.
Skept
Posts: 12
Joined: Sun Jul 03, 2005 1:30 pm

Post by Skept »

qwertz,

[skept@stopgap flow-tools-0.68]$ cd contrib/
[skept@stopgap contrib]$ tar xzf Cflow-1.051.tar.gz
[skept@stopgap contrib]$ cd Cflow-1.051
[skept@stopgap Cflow-1.051]$ perl Makefile.PL
Checking if your kit is complete...
Looks good
Found flow-tools... using "-DOSU -I../../lib -I../../lib/.. -L../../lib -lft -lz".

Anyway, i configured yet another system this morning
justinchudgar
Posts: 9
Joined: Thu Oct 19, 2006 7:59 pm
Location: Weed, Siskiyou County, CA, USA
Contact:

No RRD file output...

Post by justinchudgar »

I've checked twice and I am using the latest (Debian unstable) version of all relevant packages. I've also run though the how-to steps several times and I am convinced that I did not miss anything.

Flowscan runs, and, it shows <i>sleeping 30...</i> in /var/log/flowscan.log on the scheduled intervals. However, nothing shows up in my netflows/rrds directory. I know that I am getting netflow traffic to my box, as well.

What is happening is files are created in netflows/ every 5 minutes ( -n 288). Following is a ls of my netflows/:

<i>
-rw-r--r-- 1 root root 10708 2006-10-19 17:51 ft-v05.2006-10-19.174952-0700
-rw-r--r-- 1 root root 15892 2006-10-19 17:56 ft-v05.2006-10-19.175118-0700
-rw-r--r-- 1 root root 19796 2006-10-19 18:01 ft-v05.2006-10-19.175617-0700
-rw-r--r-- 1 root root 15188 2006-10-19 18:06 ft-v05.2006-10-19.180116-0700
-rw-r--r-- 1 root root 22100 2006-10-19 18:11 ft-v05.2006-10-19.180615-0700
-rw-r--r-- 1 root root 15188 2006-10-19 18:16 ft-v05.2006-10-19.181113-0700
-rw-r--r-- 1 root root 19604 2006-10-19 18:21 ft-v05.2006-10-19.181613-0700
drwxrwxrwx 2 root root 4096 2006-10-19 09:53 rrds
drwxrwxrwx 2 root root 4096 2006-10-19 10:00 saved
-rw-r--r-- 1 root root 84 2006-10-19 18:21 tmp-v05.2006-10-19.182111-0700
</i>

In case it matters, I am running Ubuntu Edgy and am trying to receive flow data from several WRT-54's. DD-WRT's rflow-collector works fine under windows; but, I am transistioning to Linux.

Please direct me where to troubleshoot from. And, please be more verbose than you would with a longtime 'NIX sysadmin since I am not as skilled as most of you.

Thanks.

____________________

Fixed that problem. In CUFlow.cf, the networks must be subsets of the subnets. See http://www.columbia.edu/acis/networks/a ... UFlow.html for a good description of the cuflow options.
caseinpoint
Posts: 2
Joined: Tue Oct 31, 2006 7:08 pm

How does flowscan know...

Post by caseinpoint »

How does flowscan know where to load the config file from?

Is it compiled into the binary?

I think I'm starting my flowscan binary, but it's not reading my configuration file.

How do I make sure that my startup script tells flowscan where to look for my config?
caseinpoint
Posts: 2
Joined: Tue Oct 31, 2006 7:08 pm

Also...

Post by caseinpoint »

This never worked for me

Code: Select all

apt-get install -t testing flowscan-cuflow 
I'm looking at the standard and unvirse apt lists and I can't find those anywhere.

Where did you get that?
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests