Shulou(Shulou.com)06/03 Report--

This article is to share with you the introduction and installation of nfdump and nfcapd. The editor thinks it is very practical, so I will share it for you as a reference. Let's follow the editor and have a look.

Netflow receiver

With a transmitter, you also need a receiver to collect and analyze data. Commercial software, such as ManageEngine and SolarWinds, basically calculate the money according to the number of points or charge according to the flow, which you can't afford.

Later found an open source software on github, this software is the background of nfsen, called nfdump, why not directly recommend nfsen, because I think the interface of nfsen is not good, and the flow chart is png format, it is difficult to secondary development, while nfdump stores the data as a text file, which is conducive to secondary development, can be stored in the database, and then displayed with grafana.

Nfdump introduction official website (github, if you can't open it, please use * *):

Https://github.com/phaag/nfdump/blob/master/README.md

At the end of 2019, the latest version is 1.6.18, and the default for installation using yum is 1.6.18.

Nfdump is a tool that can collect and process netflow and sflow. It supports netflow v1, v5, and 7, v7, and 9, and supports IPv4 and IPv6.

Installation

Environment: CentOS 7

Replace the yum source (optional):

Cd / etc/yum.repos.d/mv CentOS-Base.repo CentOS-Base.repo.bakwget http://mirrors.163.com/.help/CentOS7-Base-163.repomv CentOS7-Base-163.repo CentOS-Base.repoyum update

Install nfdump

Yum-y install nfdump

View version

Nfdump-five tools of Vnfdump

The nfcapd-netflow collector daemon collects the flow data sent from the collection device and writes it to a file, which is saved as a file in 5 minutes by default.

Nfdump- reads file data and integrates data. Nfdump reads netflow data from one or more files stored by nfcapd. Nfdump syntax is very similar to tcpdump syntax in that it can output individual data information, aggregate output statistics, and sort by parameters such as packets or bytes.

Nfanon- records the Netflow record anonymously, and the IP address in the stream record is processed anonymously using the CryptoPAn method.

Nfexpire- discards old data and manages data expiration. Set the appropriate limits. For NfSen.

Nfreplay-Netflow playback reads netflow data from a file stored in nfcapd and sends it to another host.

Command parameter nfcapd command parameter-h: help-w: align the file rotation with the next n minutes (specified by-t) interval, the actual measurement does not see its usefulness, the synchronization file cycle is completely affected by the-t parameter. Using this parameter alone will have no effect. -t: (important) specifies the interval, in seconds, for rotating files. The default value is 300s. Determines the cycle of generating nfcapd files. It is recommended to choose 60s. -b: the destination address of the listener, which can be ip or hostname. -4: only listen to ipv4, which can be used with-b. -6: only listen to ipv6, which can be used with-b. -J: join the multicast group. -p: (important) listening port. -l: (important) set the output directory. -s: (useful) sub-hierarchy, file internal storage interface, can automatically generate folders. See man for details. -n: (useful) when there are multiple data sources, you can specify the number to configure the data source parameters in the format: Ident,IP,logdir. -P: sets the pid file. -R: repeat incoming packets to the IP address / port. Up to 8 repeaters. -B: sets the socket buffer size. -D: (important) background operation-T: (important) parameters to be recorded. For more information, please see man. -V: view the version. Nfdump command parameter-h: help-V: view version-a: summarize by quintuple protocol, srcip, dstip, srcport and dstport. -A: selective summary. You can summarize srcip or protocol separately, or use','to split and summarize multiple parameters. Format-A proto,srcip,dstport, see man for details. -b: similar to-a, except that two-way traffic is aggregated into one value. -B: similar to-A, except that two-way traffic is aggregated into one value. -r: read a single file. -w: outputs the results to a file. Default ASCII format. -n: view the first n bits of data. -c: reads from the first line to the specified number of rows. -D: use dns to parse ip to hostname-N: output pure numbers, such as tcp protocol displayed in 6. -s: format-s [/] to generate statistics and sort them according to. See man for details. -Q: the title line and the bottom status line are not printed. -I: reads summary information from the nfcapd file specified by-r. -M: read multiple folders in the format / dir/dir1:dir2:dir3 Read the same files from & # 39; & # 39; & # 39;; and & # 39;; -O: parameters for sorting, such as bytes,tstart,flows, etc. -R: read multiple files. Format:-R nfcapd.201912301833:nfcapd.201912301837. -o: the output file format, such as csv,json,long, can also be customized. Configure instance nfcapd configure instance

Use port 9995 to listen and store it in a file to identify all the tags of v9

Nfcapd-z-w-D-T all-1 / netflow/spool/allflows-I any-S 2-P / var/run/nfcapd.allflows.pid

Collect data from two different collectors through port 8887, store it in a separate folder, and set the buffer size to 128000 bytes

Nfcapd-z-w-D-T all-p 8877-n upstream,192.168.1.1,/netflow/spool/upstream-n peer,192.168.2.1,/netflow/spool/peer-S 2-B 128000

Only receive the data from a single collector, and only recognize the data from the extension 3Jing 4jin5. After storing a file, execute a command and set the traffic to expire automatically.

Nfcapd-w-D-T 3Jing 4Jing 5-n upstream,192.168.1.1,/netflow/spool/upstream-p 23456-B 128000-x & # 39 Traspact command-r% dash% fallow 39;-P / var/run/nfcapd/nfcapd.pid-enfdump configuration instance

Query the first 100 rows of data and match the stream of the tcp protocol, source address 172.16.17.18 or destination address 172.16.17.19

Nfdump-r / and/dir/nfcapd.201107110845-c 100 & # 39 PortProto tcp and (src ip 172.16.17.18 or dst ip 172.16.17.19) & # 39

Query the records of 8:45 on July 11th to 9RU 45jol IP address 192.168.1.2.

Nfdump-R / and/dir/nfcapd.201107110845:nfcapd.201107110945 & # 39 witch host 192.168.1.2

Query the top 20 data streams under multiple data sources

Nfdump-M / to/and/dir1:dir2-R nfcapd.200407110845:nfcapd.200407110945-s record-n 20

Find the 18:33 data, aggregate the source and destination addresses, sort them in descending order in bytes, and output the first 20 data in a specific format

Nfdump-r nfcapd.201912301833-o "fmt:%ts% td% pr% sap-> dap% flg% tos% pkt% byt% fl"-A srcip,dstip-O bytes-n 20 effect

These are the details of nfdump and nfcapd. Have you gained anything after reading them? If you want to know more about it, you are welcome to follow the industry information!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.