Thursday, August 18, 2016

setup nfdump to capture netflow from cisco router

*** on server ***

1- install nfdump
$ sudo apt-get install nfdump

2- create a directory to store netflow data and run the daemon to capture it
$ mkdir /flow/r1
$ nfcapd -w -D -l /flow/r1 -p 12345

*** on router ***
1- we run the netflow only on interface f0/0, so the following is the configuration
to enable netflow on f0/0 and export to our server with port number 12345
interface FastEthernet0/0
 ip address 192.168.56.5 255.255.255.0
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.45.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 192.168.56.23
!
ip flow-export version 5
ip flow-export destination 192.168.56.23 12345




****************************

wait for a while for the data to be collected.
1- to view the netflow statistic

$ nfdump -r /flow/r1/nfcapd.201608170500
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2002-02-28 21:44:33.043     0.488 TCP       198.35.26.96:80    ->     192.168.45.2:1090         5      687     1
2002-02-28 21:44:34.607     0.280 TCP       198.35.26.96:443   ->     192.168.45.2:1091         3      128     1
2002-02-28 21:44:40.351     0.132 TCP      119.15.80.155:443   ->     192.168.45.2:1094         5      215     1
2002-02-28 21:44:40.495     0.120 TCP      119.15.80.155:443   ->     192.168.45.2:1095         5      215     1
2002-02-28 21:44:25.687     2.000 TCP     204.79.197.203:80    ->     192.168.45.2:1084        25    28031     1
2002-02-28 21:44:26.067     1.352 TCP         175.28.3.8:80    ->     192.168.45.2:1085        21    15787     1
2002-02-28 21:44:26.075     1.316 TCP         175.28.3.8:80    ->     192.168.45.2:1086        22    16640     1
2002-02-28 21:44:26.399     1.464 TCP      111.221.29.30:80    ->     192.168.45.2:1087         3      974     1
2002-02-28 21:44:26.499     1.316 TCP         175.28.3.9:80    ->     192.168.45.2:1088         4      786     1
2002-02-28 21:44:26.643     1.252 TCP       23.99.125.55:80    ->     192.168.45.2:1089         4     1226     1
2002-02-28 21:44:39.071     0.112 TCP      119.15.80.185:80    ->     192.168.45.2:1092         3     1024     1
2002-02-28 21:44:39.303     0.328 TCP      119.15.80.155:80    ->     192.168.45.2:1093         3     1037     1
2002-02-28 21:44:45.303     0.296 TCP       23.76.64.132:80    ->     192.168.45.2:1096         3      894     1
2002-02-28 21:44:45.759     0.324 TCP      104.90.214.54:80    ->     192.168.45.2:1097         3      433     1
2002-02-28 21:44:46.487     0.080 TCP         175.28.3.8:80    ->     192.168.45.2:1098         4     2618     1
2002-02-28 21:44:46.495     0.252 TCP         175.28.3.8:80    ->     192.168.45.2:1099        13    16310     1
2002-02-28 21:45:01.379     0.240 TCP       198.35.26.96:443   ->     192.168.45.2:1102         3      128     1
2002-02-28 21:44:46.159     3.208 TCP     204.79.197.203:80    ->     192.168.45.2:1084        22    26094     1
2002-02-28 21:44:46.527     2.956 TCP         175.28.3.9:80    ->     192.168.45.2:1088         2      698     1
2002-02-28 21:44:46.579     2.964 TCP      111.221.29.30:80    ->     192.168.45.2:1087         2      926     1
2002-02-28 21:44:46.707     3.040 TCP       23.99.125.55:80    ->     192.168.45.2:1089         4     1218     1
2002-02-28 21:45:06.123     0.260 TCP       198.35.26.96:443   ->     192.168.45.2:1103         3      128     1
2002-02-28 21:45:11.335     0.160 TCP        23.67.8.140:443   ->     192.168.45.2:1104         3      128     1
2002-02-28 21:45:16.843     0.152 TCP      23.15.106.180:443   ->     192.168.45.2:1106         3      128     1
2002-02-28 21:45:17.055     0.232 TCP      118.68.82.105:443   ->     192.168.45.2:1107         3      128     1
2002-02-28 21:45:17.571     0.276 TCP      118.68.82.105:443   ->     192.168.45.2:1108         3      128     1
2002-02-28 21:45:21.007     0.124 TCP      23.15.106.180:443   ->     192.168.45.2:1113         3      128     1
2002-02-28 21:45:21.119     0.216 TCP      118.68.82.105:443   ->     192.168.45.2:1112         3      128     1
2002-02-28 21:45:21.623     0.280 TCP      118.68.82.105:443   ->     192.168.45.2:1114         3      128     1
2002-02-28 21:45:22.259     0.248 TCP      118.68.82.105:443   ->     192.168.45.2:1115         3      128     1
2002-02-28 21:45:22.283     0.260 TCP      118.68.82.105:443   ->     192.168.45.2:1116         3      128     1
2002-02-28 21:45:22.747     0.264 TCP      118.68.82.105:443   ->     192.168.45.2:1117         3      128     1
2002-02-28 21:45:27.295     0.464 TCP       198.35.26.96:80    ->     192.168.45.2:1120         5      770     1
2002-02-28 21:45:28.567     0.264 TCP       198.35.26.96:443   ->     192.168.45.2:1121         3      128     1
2002-02-28 21:44:25.611    51.196 UDP            8.8.8.8:53    ->     192.168.45.2:1042        15     2418     1
2002-02-28 21:45:17.459     0.104 TCP     216.58.221.130:80    ->     192.168.45.2:1109         4     2200     1
2002-02-28 21:45:17.731     0.336 TCP       216.58.199.2:80    ->     192.168.45.2:1110        40    55139     1
2002-02-28 21:45:18.439     0.104 TCP       216.58.203.1:80    ->     192.168.45.2:1111         4     2274     1
2002-02-28 21:45:15.483     5.372 TCP    170.149.159.130:80    ->     192.168.45.2:1105        31    36885     1
2002-02-28 21:45:22.807     0.588 TCP      118.68.82.105:80    ->     192.168.45.2:1118        20    24871     1
2002-02-28 21:45:23.267     0.264 TCP      118.68.82.105:80    ->     192.168.45.2:1119         8     7704     1
2002-02-28 21:45:39.283     0.000 TCP      119.15.80.185:80    ->     192.168.45.2:1092         1       40     1
2002-02-28 21:45:39.427     0.000 TCP      119.15.80.155:80    ->     192.168.45.2:1093         1       40     1
2002-02-28 21:45:16.711    10.348 UDP            8.8.8.8:53    ->     192.168.45.2:1055         6      785     1
2002-02-28 21:45:43.731     1.296 TCP     66.235.120.235:80    ->     192.168.45.2:1126         5      926     1
2002-02-28 21:45:44.379     1.204 TCP      66.235.120.96:80    ->     192.168.45.2:1132         5      611     1
2002-02-28 21:45:45.091     0.876 TCP      66.235.120.63:80    ->     192.168.45.2:1135         5      734     1
2002-02-28 21:45:43.719     3.380 TCP         175.28.3.9:80    ->     192.168.45.2:1128        16    13891     1
2002-02-28 21:45:45.451     0.764 TCP     66.235.120.235:80    ->     192.168.45.2:1136         5      792     1
2002-02-28 21:45:46.595     0.112 TCP        31.13.78.35:443   ->     192.168.45.2:1141         3      128     1
2002-02-28 21:45:46.803     0.212 TCP      216.58.197.98:443   ->     192.168.45.2:1142         5      215     1
2002-02-28 21:45:47.031     0.220 TCP      216.58.197.98:443   ->     192.168.45.2:1143         6      255     1
2002-02-28 21:44:57.643    40.432 TCP     204.79.197.200:80    ->     192.168.45.2:1100       212   199033     1
2002-02-28 21:44:58.071    39.996 TCP     204.79.197.200:80    ->     192.168.45.2:1101       228   231240     1
2002-02-28 21:45:50.887     0.604 TCP      66.235.120.63:80    ->     192.168.45.2:1146         5      734     1
2002-02-28 21:45:50.271     2.028 TCP         175.28.3.9:80    ->     192.168.45.2:1145        13    10553     1
2002-02-28 21:45:38.203     1.536 TCP     204.79.197.200:80    ->     192.168.45.2:1123        46    50450     1
2002-02-28 21:45:53.039     1.684 TCP         175.28.3.9:80    ->     192.168.45.2:1148        13    10551     1
2002-02-28 21:45:53.679     0.628 TCP      66.235.120.63:80    ->     192.168.45.2:1149         5      734     1
2002-02-28 21:45:38.191     4.596 TCP     204.79.197.200:80    ->     192.168.45.2:1122        34    31027     1
2002-02-28 21:45:55.359     1.616 TCP         175.28.3.9:80    ->     192.168.45.2:1151        13    10553     1
2002-02-28 21:45:55.955     0.640 TCP      66.235.120.63:80    ->     192.168.45.2:1152         5      734     1
2002-02-28 21:45:43.315     0.376 TCP         175.28.3.9:80    ->     192.168.45.2:1125        38    54088     1
2002-02-28 21:45:43.355     0.556 UDP            8.8.8.8:53    ->     192.168.45.2:1042         2      321     1
2002-02-28 21:45:43.739     0.344 TCP         175.28.3.9:80    ->     192.168.45.2:1088         2     1512     1
2002-02-28 21:45:44.123     0.132 TCP        175.28.3.16:80    ->     192.168.45.2:1134         6     4220     1
2002-02-28 21:45:44.135     0.404 TCP     104.90.236.239:80    ->     192.168.45.2:1131        19    22898     1
2002-02-28 21:45:58.467     0.624 TCP      66.235.120.63:80    ->     192.168.45.2:1155         5      734     1
2002-02-28 21:45:44.175     1.772 TCP      172.217.26.72:80    ->     192.168.45.2:1133        17    22134     1
2002-02-28 21:45:57.827     1.684 TCP         175.28.3.9:80    ->     192.168.45.2:1154        13    10551     1
2002-02-28 21:45:42.891     3.856 UDP            8.8.8.8:53    ->     192.168.45.2:1055         5      654     1
2002-02-28 21:45:43.811     2.652 UDP            8.8.8.8:53    ->     192.168.45.2:1130         5      883     1
2002-02-28 21:45:43.863     2.652 UDP            8.8.8.8:53    ->     192.168.45.2:1129         3      351     1
2002-02-28 21:45:46.159     0.256 TCP      119.15.80.187:80    ->     192.168.45.2:1138        12    12706     1
2002-02-28 21:45:46.239     0.180 TCP        31.13.78.17:80    ->     192.168.45.2:1139         6     4867     1
2002-02-28 21:45:42.919     7.184 TCP         175.28.3.9:80    ->     192.168.45.2:1124       143   200367     1
2002-02-28 21:45:50.495    17.028 TCP     66.235.120.236:80    ->     192.168.45.2:1144         4      184     1
2002-02-28 21:45:46.079    13.068 TCP         175.28.3.9:80    ->     192.168.45.2:1137        11     4617     1
2002-02-28 21:45:53.283    19.660 TCP     66.235.120.236:80    ->     192.168.45.2:1147         4      184     1
2002-02-28 21:45:58.063    14.248 TCP     66.235.120.236:80    ->     192.168.45.2:1153         4      184     1
2002-02-28 21:45:46.563    14.276 TCP     74.125.204.156:443   ->     192.168.45.2:1140         5      240     1
2002-02-28 21:45:43.743    22.092 TCP     66.235.120.236:80    ->     192.168.45.2:1127         4      192     1
2002-02-28 21:46:10.955     0.000 UDP            8.8.8.8:53    ->     192.168.45.2:1130         1      149     1
2002-02-28 21:46:04.671     9.124 TCP     204.79.197.203:80    ->     192.168.45.2:1156        47    53628     1
2002-02-28 21:46:05.107     8.996 TCP         175.28.3.9:80    ->     192.168.45.2:1088         4     1396     1
2002-02-28 21:46:11.003     2.960 TCP         175.28.3.8:80    ->     192.168.45.2:1160        11     7112     1
2002-02-28 21:46:05.159     9.008 TCP      111.221.29.30:80    ->     192.168.45.2:1158         5     1900     1
2002-02-28 21:46:05.187     9.000 TCP       23.99.125.55:80    ->     192.168.45.2:1159         7     2404     1
2002-02-28 21:46:05.079    10.624 TCP         175.28.3.8:80    ->     192.168.45.2:1157        61    62096     1
2002-02-28 21:46:11.287     4.460 TCP         175.28.3.8:80    ->     192.168.45.2:1161        99   126471     1
2002-02-28 21:46:16.835     0.000 TCP     74.125.204.156:443   ->     192.168.45.2:1140         1       48     1
2002-02-28 21:45:55.603    22.424 TCP     66.235.120.236:80    ->     192.168.45.2:1150         4      192     1
2002-02-28 21:46:29.819     0.000 TCP     66.235.120.236:80    ->     192.168.45.2:1127         1       48     1
2002-02-28 21:46:44.707     0.000 TCP     204.79.197.200:80    ->     192.168.45.2:1122         1       40     1
2002-02-28 21:46:46.495     0.000 TCP      119.15.80.187:80    ->     192.168.45.2:1138         1       40     1
2002-02-28 21:46:42.031     0.000 TCP     66.235.120.236:80    ->     192.168.45.2:1150         1       48     1
2002-02-28 21:47:01.991     0.456 TCP         175.28.3.8:80    ->     192.168.45.2:1160        17    20247     1
2002-02-28 21:47:02.351     1.152 TCP         175.28.3.8:80    ->     192.168.45.2:1161        26    19620     1
2002-02-28 21:47:02.355     1.216 TCP         175.28.3.8:80    ->     192.168.45.2:1157        37    38733     1
2002-02-28 21:47:01.647    17.016 TCP     204.79.197.203:80    ->     192.168.45.2:1156        48    58132     1
2002-02-28 21:47:02.347    16.692 TCP         175.28.3.9:80    ->     192.168.45.2:1088         3     1047     1
2002-02-28 21:47:02.399    16.692 TCP      111.221.29.30:80    ->     192.168.45.2:1158         3     1389     1
2002-02-28 21:47:02.427    16.692 TCP       23.99.125.55:80    ->     192.168.45.2:1159         4     1747     1
2002-02-28 21:47:03.847    15.284 UDP            8.8.8.8:53    ->     192.168.45.2:1130         2      302     1
2002-02-28 21:47:03.895    15.240 TCP         175.28.3.8:80    ->     192.168.45.2:1162        37    44340     1
2002-02-28 21:47:19.403     1.052 TCP      118.68.82.130:80    ->     192.168.45.2:1165        15    16606     1
2002-02-28 21:47:19.415     0.852 TCP      118.68.82.130:80    ->     192.168.45.2:1166        15    15910     1
2002-02-28 21:47:04.239    19.504 TCP         175.28.3.8:80    ->     192.168.45.2:1163       142   154670     1
2002-02-28 21:47:19.007     4.720 TCP         175.28.3.8:80    ->     192.168.45.2:1164       130   136377     1
Summary: total flows: 109, total bytes: 1.9 M, total packets: 1985, avg bps: 86249, avg pps: 11, avg bpp: 967
Time window: 2002-02-28 21:44:25 - 2002-02-28 21:47:23
Total flows processed: 109, Blocks skipped: 0, Bytes read: 5332
Sys: 0.002s flows/second: 46661.0    Wall: 0.014s flows/second: 7585.8 

No comments:

Post a Comment