Before proceeding with any of the installs or configuration steps, I suggest that you read at least that section. It's really best to read through this entire document before you start, but I too am known to be impatient from time to time. At least read each section before starting on the steps included in that section. Ready? Set? Let's go!

Routers Support

Most Cisco routers, all the way down to the 806, support NetFlow exporting. To see if your router and IOS version supports NetFlow, please visit http://www.cisco.com/go/fn and search for "NetFlow". Again, many other networking vendors have their own implementation of NetFlow. Please visit each vendor's respective site for more detailed information. If they support NetFlow version 5, this setup should be compatible.

For the purposes of this setup, you will need to use NetFlow version 5. The flow-tools collector is capable of handling newer version of NetFlow and storing them in its single unified file format that FlowScan can understand. This is useful, for instance, when collecting flows from a Cisco Catalyst 65xx, which uses a different version by default. (The 65xx can also be setup for version 5. See the appendix for the suggested configuration.) Please consult the FlowScan and flow-tools mailing lists listed in the appendix for more information about non-version 5 setups. Setting up FlowScan to use versions of NetFlow other than version 5 is outside of the scope of this document.

The Flow Collector and Reporting System

The Flow Collector can be any Unix/Linux based system. As I mentioned previously, I prefer CentOS for the operating system. I have found that it is best to have a dedicated server because the report generation can take a lot of processing time. You can use just about anything, but IT MUST process the flow files in under five minutes. I suggest that you aim for less than 2.5 to 3 minutes to better handle unusual traffic patterns such as virus infections and DOS attacks. Most of the virulent viruses these days use networks to spread. One computer with a virus can open thousands of connections per second. The flow reporting from the router will show these connections, even if they are not successful. (Use the TopTalkers reports to track down the IPs.)

I currently have several NetFlow Reporting systems in production. The "big bad" system is at our Primary Network Operations Center. Others include remote locations that support dialup clients, and my house. This section should give you some idea of how this will scale.

The main NOC system produces reports for two Cisco 7513 routers and one 7206 router. Each router has one Internet DS-3. During peak hours of traffic, we push about 80-100 Megabits (Mbps) per second total in each direction (to and from the Internet). This creates about 1.7 million flows every five minute for a file size of 23.7 MB. The collector is a Dual Processor AMD Athlon MP 2800+ with 1024 MB of RAM and an IDE disk drive. It takes about 160 seconds to process the flows and create the reports. The graphs are produced on the fly when someone accesses them. This is a feature of RRDTool. Although this version of FlowScan does not use both processors to process the flow files, it is still useful to have the second processor to handle everything else.

One of the other locations produces reports for a single Cisco 3660 router that has a fractional DS-3 Internet backbone. During peak hours, we can reach up to the full 9 Mbps inbound and about 5 Mbps outbound. This creates about 175,000 flows every five minute for a file size of about 2-3 MB. The collector is a Pentium III 500 with 256 MB of RAM and an IDE disk drive. It takes about 70 seconds to process the flows and create the reports.

Software Packages

Here is the list of packages you will need. I suggest that you download them all before proceeding any further. It does not matter where you download them to, just don't misplace them. I usually create a folder at "/var/netflow/install" to keep the source packages. Also, please take note the version numbers may change from what is listed here. Be sure to grab the latest stable versions when you download the packages.

• Apache - You will need a web server to view the graphs and reports from this application. Any web server that supports CGI scripting will be fine. If you do not already have a web server installed, I suggest Apache. It can be downloaded from http://httpd.apache.org. The default install will work just fine. For detailed instructions, please see the documentation on the Apache site. If you did not install the Web Server packages when you installed CentOS, you can install them using the yum utility. To install apache on CentOS use:
  • yum install httpd
• Perl5 - This is installed by default in most builds of Linux. If you don't have it, please visit www.perl.com or www.cpan.org, or simply rebuild the machine and make sure that you install the Perl packages. (Installing the perl packages during install is the preferred method.) If you don't already have Perl, or don't know what it is, this application is probably not for you.
• RRDTool - This package can be downloaded from www.rrdtool.org. It is recommended that you install from the source tarball. When you configure and compile the package be sure to use the --enable-shared option. Most of the pre-compiled packages (RPMs) do not have this enabled, so if you get RRDTool errors and are using an RPM version, try manually compiling as described here. I install it using these commands:
  • tar -zxvf rrdtool-1.2.12.tar.gz
  • cd rrdtool-1.2.12
  • ./configure --prefix=/usr/local/rrdtool --enable-perl-site-install --disable-tcl
  • make
  • make install
• flow-tools - This is the collection of programs that includes the collector application I prefer. It can be downloaded from: http://www.splintered.net/sw/flow-tools/. You can install it using these commands:
  • tar -zxvf flow-tools-0.66.tar.gz
  • cd flow-tools-0.66
  • ./configure
  • make
  • make install

  (NOTE: 0.68 is available however, it is not considered stable by the developers. I have used both 0.66 and 0.68 successfully.)
  This will install flow-tools to /usr/local/netflow. Remember this folder. There are many tools included in flow-tools. We will only use flow-capture in this document, but you may find others of use in your situation.

• Perl Modules - In addition to Perl5, you will need the modules listed below. To install all of them, except Cflow which is packaged with flow-tools, follow the instructions below.
  Notes about Perl: If you are running the CPAN shell for the first time, you will be asked to configure it. To Auto-Configure CPAN (I recommend that you let it auto-configure) enter "no". Once it is configured it will download a database file. This may take several minutes depending on your Internet connection. Also, take care to note that everything Perl is case sensitive. CPAN may also alert you to install a newer version of CPAN. The newer versions are valuable, but be warned; it will take time to install. Lastly, you must be root to install the packages. Type the following commands to use CPAN.
  • perl -MCPAN -e shell
  • install HTML::Table
  • install Net::Patricia
  • install Boulder::Stream (If this fails, try to do a "force install Boulder::Stream". The last time I installed this worked correctly without force.)
  • If you are running a current Linux distribution such as CentOS, don't bother trying to install this module in CPAN. Do the following instead:
    • Go to http://www.cpan.org
    • Search for ConfigReader
    • Choose ConfigReader-0.5
    • Download the tarball and unpack it (tar -zxvf ConfigReader-0.5.tar.gz)
    • cd ConfigReader-0.5
    • mkdir -p /usr/lib/perl5/site_perl/5.8.5/ConfigReader
    • cp * /usr/lib/perl5/site_perl/5.8.5/ConfigReader
      ( Update the path to match your version of Perl.) The above is from CentOS 4.2 with Perl 5.8.5.
  • If you are running RedHat 7.2 or earlier, this should work instead of the above steps. install ConfigReader::DirectiveStyle

  CFlow is included in the current distribution of flow-tools so you do not need to download it separately. Please install it by doing the following:

  • cd flow-tools-0.66
  • cd contrib
  • tar -zxvf Cflow-1.051.tar.gz
  • cd Cflow-1.051
  • perl Makefile.PL
  • make
  • make install

     

 

***IMPORTANT***

 

(No, really. It's that important that you understand this. This is the #1 FAQ and problem when installing this application.)
In order for this module to compile with the proper support, you need to run it from a directory under the flow-tools distribution files. The instructions above will build Cflow properly. You WILL get errors when you run FlowScan if you do not follow these steps exactly. Also, if you install flow-tools from an RPM package, you'll need to grab the flow-tools source package to get Cflow to work correctly. There is a README file included in the Cflow-1.051 if you'd like more information.

 

• Korn Shell - This is required by CUFlow. pdksh works just as well. On a CentOS box, simply type "yum install pdksh" and CentOS will install this for you. You can also download the source from http://web.cs.mun.ca/~michael/pdksh/.
• FlowScan - This is the base report generating application by Dave Plonka. It can be downloaded from: http://net.doit.wisc.edu/~plonka/FlowScan/.
• CUFlow - This is the report module and graph generator written by Columbia University for FlowScan. It can be downloaded from: http://www.columbia.edu/acis/networks/advanced/CUFlow/.
• My Support Files - This includes the scripts and the updated FlowScan.pm module that are needed to complete the installation using this document. http://www.dynamicnetworks.us/netflow/files/support-files-1.1.tar.gz