Friday, June 05, 2015
Minimal Netflow Sensor Station with OpenBSD 5.7
The basics:
Default install of OpenBSD 5.7 amd64.I start ntpd by default so I'll have accurate time stamps in my logs.
Get the network interfaces up and running.
In the default /etc/pf.conf rules, add the following line to the top:
set state-defaults pflow
Add the following to /etc/hostname.pflow0
flowsrc 127.0.0.1 flowdst 127.0.0.1:12345
Then "pkg_add flowd" to install the collector. By default it listens only on localhost port 12345.
Add "/usr/local/sbin/flowd" to /etc/rc.local to cause it to start at boot.
It will start logging to /var/log/flowd
You can view the netflow logs with "flowd-reader /var/log/flowd"
More advanced:
We'll use the nfdump tools for our collector and reporting.
pkg_add nfdump
The nfcapd netflow capture daemon will replace flowd, and listens on port 9995 by default. Modify /etc/hostname.pflow0 to contain the following:
flowsrc 127.0.0.1 flowdst 127.0.0.1:9995
Also, modify /etc/rc.local and remove the line that starts flowd, and replace it with (all on one line):flowsrc 127.0.0.1 flowdst 127.0.0.1:9995
/usr/local/bin/nfcapd -D -z -w -n localhost,127.0.0.1,/var/log/netflow -T all -S 2
You will also need to create the /var/log/netflow directory.
You can now use the nfdump tool to view one of the files which are created every 5 minutes. Files are in sub-directories based on year, month, day, hour. For example:
nfdump -r /var/log/netflow/2015/06/05/13/nfcapd.201506051335 -s dstip
Or to view them all use the capital R option:
nfdump -R /var/log/netflow/2015/06/05/13 -s dstip
If you are already in a particular directory, use the back tic around the pwd command:
nfdump -R `pwd` -s dstip
Or to view them all use the capital R option:
nfdump -R /var/log/netflow/2015/06/05/13 -s dstip
If you are already in a particular directory, use the back tic around the pwd command:
nfdump -R `pwd` -s dstip
You can also select other stats like dstport, etc. Here are some of them. See the man page for more.
| record | Statistic about aggregated netflow records. |
| srcip | Statistic about source IP addresses |
| dstip | Statistic about destination IP addresses |
| ip | Statistic about any (source or destination) IP addresses |
| srcport | Statistic about source ports |
| dstport | Statistic about destination ports |
| port | Statistic about any (source or destination) ports |
| proto | Statistic about protocol numbers |
nfdump -R `pwd` 'IP 10.1.100.10'
Using a Different Sensor
Why don't we try softflowd as a sensor. You can undo all the /etc/pf.conf and /etc/hostname.pflow0 stuff. The new daemon will listen promiscuously to the network, sof the pf packet filter doesn't need to be involved. "pkg_add softflowd"Now go ahead and edit /etc/rc.conf.local and add the following lines (and change bge0 to whatever your network interface is):
pkg_scripts=softflowd
softflowd_flags="-i bge0 -n 127.0.0.1:9995"
Reboot to do the lazy start of all daemons. You can check to make sure it is all working by issuing the command:softflowctl statistics
