nfsen-ng icon indicating copy to clipboard operation
nfsen-ng copied to clipboard

Published 20 hours ago verified publisher icon mbolli

how to add multiple NetFlow /sflow sources

Open Akshaykkapoor opened this issue 5 years ago • 14 comments

My NetFlow station build around Nfsen works well , however I am not sure how to add multiple Sflow/netflow sources on same port in Nfsen-ng.

please suggest where to add source IPs and ports into the configuration, in Nfsen-ng there is no option to add IPs in backend/settings.php for multiple sources. please help, I am very impressed with the web front-end of Nfsen-ng and would like to start a new deployment with Nfsen-ng.

Akshaykkapoor avatar Nov 29 '18 19:11 Akshaykkapoor

Sounds to me like nfcapd configuration; nfsen-ng doesn't configure and start nfcapd... would be a nice feature though.

mbolli avatar Dec 02 '18 14:12 mbolli

Hi All.

@mbolli isn't it possible to configure nfsen-ng to support multiple sources as nfsen does?

Thanks.

nfsen.conf example:

%sources = (
    'upstream1'    => { 'port'    => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
    'peer1'        => { 'port'    => '9996', 'col' => '#ff0000' },
);

ghost avatar Feb 11 '20 16:02 ghost

Hi @ropesca , nfsen-ng is a visualizer for that kind of data. What you are probably talking about is the nfcapd collector which is responsible to collect the data. This tool is part of nfdump and you should start it manually or with a self defined service unit/script. You could try to execute these commands on a second shell for test purposes and if they work as you would expect, incorporate them in a service or whatever.

I assume that you have nfcapd available at /usr/local/bin/nfcapd so I tried to adapt that to your context:

/usr/local/bin/nfcapd -w -D -p 9995 -u netflow -g www-data -B 200000 -S 1 -z -I upstream1 -l /your/path/to/nfsen/profiles-data/live/upstream1
/usr/local/bin/nfcapd -w -D -p 9996 -u netflow -g www-data -B 200000 -S 1 -z -I peer1 -l /your/path/to/nfsen/profiles-data/live/peer1

A quick google search to see what parameters nfcapd I am using is available here : https://www.systutorials.com/docs/linux/man/1-nfcapd/

Also, I have "netflow" user and my data needs to be available to the "www-data" group for nfsen-ng but this maybe needs to be adapted to your needs. And... maybe you might need the nfsen structure for the profiles, don't remember if that was created manually or not.

Dona21 avatar Feb 11 '20 17:02 Dona21

HI @Dona21 you clear up it. Thank you.

So, on nfsen-ng sources configuration, I should insert the same name as nfdump configuration, right?

In your example, would be like this:

        'sources' => array(
            'upstream1', 'peer1',

ghost avatar Feb 11 '20 20:02 ghost

You are welcome, glad that it helped. Yes, that section of the configuration would be correct to match the example

Dona21 avatar Feb 11 '20 21:02 Dona21

I've tried to modify the NetFlow sources from the setting page which path is /var/www/html/nfsen-ng/backend/settings , then i restart the nfsenng, but it failed to display on the web page.

        'sources' => array(
           'source1  => { 'port'    => '9996', 'col' => '#ff0000', 'IP' => 172.16.1.1', 'Type' => 'sflow' },

the web page that display as below:

General error:
Parse error: syntax error, unexpected '{' in /var/www/html/nfsen-ng/backend/settings/settings.php on line 16

my question is what's the correct method to modify the multiple sources?

realnet avatar Dec 21 '20 12:12 realnet

@realnet sources is a string array, your curly-braces syntax is not valid PHP. nfsen-ng only needs the name of the source, all the other data is used by nfcapd (see this excellent answer by @Dona21)

So your sources array should look like this:

'sources' => ['source1', 'source2', 'source3']

mbolli avatar Dec 21 '20 15:12 mbolli

what is wrong with this command?

command : nfcapd -p 9995 -u www-data -g www-data -B 200000 -S 1 -z -I EDGE -l /var/nfdump/profiles-data/live/EDGE

result:

Add extension: 2 byte input/output interface index Add extension: 4 byte input/output interface index Add extension: 2 byte src/dst AS number Add extension: 4 byte src/dst AS number Add extension: 4 byte output bytes Add extension: 8 byte output bytes Add extension: NSEL Common block Add extension: NSEL xlate ports Add extension: NSEL xlate IPv4 addr Add extension: NSEL xlate IPv6 addr Add extension: NSEL ACL ingress/egress acl ID Add extension: NSEL username Add extension: NSEL max username Add extension: NEL Common block Bound to IPv4 host/IP: any, Port: 9995 Standard setsockopt, SO_RCVBUF is 212992 Requested length is 200000 bytes System set setsockopt, SO_RCVBUF to 400000 bytes startup. Init IPFIX: Max number of IPFIX tags: 69 Process_v9: New exporter: SysID: 1, Domain: 0, IP: 192.168.100.0

Process_v9: [0] Add template 256 Process_v9: [0] Add template 257 Ident: 'BORDA' Flows: 1099538, Packets: 34569118, Bytes: 31544308647, Sequence Errors: 5730, Bad Packets: 0 Total ignored packets: 0

steinhorstbr avatar Feb 01 '23 00:02 steinhorstbr

nfsen-ng Why is my date and time not correct and always show my core switch internet side Ip and not show NAT ip in the network.

pra838 avatar Aug 11 '23 06:08 pra838

I've tried to modify the NetFlow sources from the setting page which path is /var/www/html/nfsen-ng/backend/settings , then i restart the nfsenng, but it failed to display on the web page.

        'sources' => array(
           'source1  => { 'port'    => '9996', 'col' => '#ff0000', 'IP' => 172.16.1.1', 'Type' => 'sflow' },

the web page that display as below:

General error:
Parse error: syntax error, unexpected '{' in /var/www/html/nfsen-ng/backend/settings/settings.php on line 16

my question is what's the correct method to modify the multiple sources?

https://ws.learn.ac.lk/wiki/NspwUprouse/Agenda/netflow

pra838 avatar Aug 11 '23 06:08 pra838

Hi @steinhorstbr , I did not see your comment before and I assume you found out since February. However, for any nfdump suite tools (nfcapd is part of it), you should ask that directly there https://github.com/phaag/nfdump

Dona21 avatar Aug 11 '23 15:08 Dona21

Hi @pra838 , your question concerning sources has been answered in this exact same post by @mbolli . See it here.

@realnet sources is a string array, your curly-braces syntax is not valid PHP. nfsen-ng only needs the name of the source, all the other data is used by nfcapd (see this excellent answer by @Dona21)

So your sources array should look like this:

'sources' => ['source1', 'source2', 'source3']

Dona21 avatar Aug 11 '23 15:08 Dona21

https://github.com/mbolli/nfsen-ng/issues/18#issuecomment-1674247001

Why my date & time is not correct?

pra838 avatar Aug 15 '23 03:08 pra838

In the screenshot you posted, you can see a command (nfdump tool) that is executed in the backend. Try to run it on a your terminal and see what kind of output you get. My assumption is that you will have the same output. If so, your question should be posted on the nfdump project at the output is generated by that tool. However, in any case this question has nothing to do with the issue you are writing in with title "how to add multiple NetFlow /sflow sources", so please keep it structured when asking for help, thanks

Dona21 avatar Aug 15 '23 17:08 Dona21