How to monitor traffic at Cisco router using Linux (Netflow)

Cisco (featured logo)

By default Cisco IOS doesn’t provide any traffic monitoring tools like iftop or iptraff available in Linux. While there are lots of proprietary solutions for this purpose including Cisco Netflow Collection, you are free to choose nfdump and nfsen open source software to monitor traffic of one or many Cisco routers and get detailed monitoring data through your Linux command line or as graphs at absolutely no cost.

Below is beginner’s guide that helps to quickly deploy netflow collector and visualizer under Linux and impress everybody by cute and descriptive graphs like these:

nfsen screen

It is highly recommended to look through Netflow basics to get brief understanding of how it works before configuring anything. For example, here is Cisco’s document that gives complete information about Netflow. In a few words to get started you should enable netflow exporting on Cisco router and point it to netflow collector running under Linux. Exported data will contain complete information about all packets the router has received/sent so nfdump and nfsen working under Linux will collect it and visualize to present you the graph like above example.

Cisco Router Setup

1. Enable flow export on ALL Cisco router’s interfaces that send and receive some traffic, here is an example:

Router1# configure terminal
Router1(config)#interface FastEthernet 0/0
Router1(config-if)#ip route-cache flow input
Router1(config-if)#interface FastEthernet 0/1
Router1(config-if)#ip route-cache flow input
...

2. Setup netflow export:

Router1# configure terminal
Router1(config)#ip flow-export source FastEthernet0/0
Router1(config)#ip flow-export source FastEthernet0/1
Router1(config)#ip flow-export version 5
Router1(config)#ip flow-export destination 1.1.1.1 23456

Where 1.1.1.1 is IP address of Linux host where you plan to collect and analyze netflow data. 23456 is port number of netflow collector running on Linux.

Linux Setup

1. Download and install nfdump.

cd /usr/src/
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.2/nfdump-1.6.2.tar.gz/download
tar -xvzf nfdump-1.6.2.tar.gz
cd nfdump-1.6.2
./configure --prefix=/ --enable-nfprofile
make
make install

2. Download and install nfsen.

It requires web server with php module and RRD so make sure you have the corresponding packages installed. I hope you’re running httpd with php already so below are rrd/perl related packages installation hints only.

Fedora/Centos/Redhat users should type this:

yum install rrdtool rrdtool-devel rrdutils perl-rrdtool

Ubuntu/Debian:

aptitude install rrdtool librrd2-dev librrd-dev librrd4 librrds-perl librrdp-perl

If you run some exotic Linux distribution just install everything that is related to rrd + perl.

At last, nfsen installation:

cd /usr/src/
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz/download
tar -xvzf nfsen-1.3.5.tar.gz
cd nfsen-1.3.5
cp etc/nfsen-dist.conf etc/nfsen.conf

In order to continue you should edit file etc/nfsen.conf to specify where to install nfsen, web server’s username, its document root directory etc. That file is commented so there shouldn’t be serious problems with it.

One of the major sections of nfsen.conf is ‘Netflow sources’, it should contain exactly the same port number(s) you’ve configured Cisco with — recall ‘ip flow-export …’ line where we’ve specified port 23456. E.g.

%sources = (
    'Router1'    => { 'port' => '23456', 'col' => '#0000ff', 'type' => 'netflow' },
);

Now it’s time to finish the installation:

./install.pl etc/nfsen.conf

In case of success you’ll see corresponding notification after which you will have to start nfsen daemon to get the ball rolling:

/path/to/nfsen/bin/nfsen start

From this point nfdump started collecting netflow data exported by Cisco router and nfsen is hardly working to visualize it — just open web browser and go to http://linux_web_server/nfsen/nfsen.php to make sure. If you see empty graphs just wait for a while to let nfsen to collect enough data to visualize it.

That’s it!

SHARE:

16 thoughts on “How to monitor traffic at Cisco router using Linux (Netflow)”

  1. useful post!

    I would also like to suggest that you can use ManageEngine NetFlow Analyzer to monitor traffic at Cisco routers. Yes, it runs on Linux too!

    cheers
    joe

  2. Pingback: links for 2010-11-26 « Where Is All This Leading To?

  3. invaluable information A little bit in a hurry, did not get to read everything but will definitely come back later to finish everything. I think the second paragraph pretty much says everything.. for several years

  4. jouets moins chers

    Definitely believe that which you stated. Your favorite reason appeared to be on the net the simplest thing to be aware of. I say to you, I definitely get annoyed while people consider worries that they plainly do not know about. You managed to hit the nail upon the top and also defined out the whole thing without having side-effects , people could take a signal. Will probably be back to get more. Thanks

  5. neat blog theme! what place? anyway, I have already been hanging out right here for some time now and ultimately I have the courage to leave a comment. most of your write-up is utterly fascinating well, i decided to share it on facebook.

  6. Sunnyvale (CA) Estate Planning Lawyer

    Thanks for a very informative web site. What else may I get that type of info written in such a perfect manner? I’ve a mission that I’m simply now working on, and I’ve been at the look out for such info.

  7. While configuring nfdump, there is error
    “configure: error: Can not link librrd. Please specify –with-rrdpath=.. configure failed!”
    Please suggest

  8. please help
    i have an error when installing nfsen
    UNIVERSAL->import is deprecated and will be removed in a future perl at /opt/nfsen/libexec/Nfcomm.pm line 47
    thanks

    thn

  9. Pingback: Netflow with Open Source | GNC

  10. In the nfsen.conf file, it has the following example for the %sources:
    %sources = (
    ‘upstream1’ => { ‘port’ => ‘9995’, ‘col’ => ‘#0000ff’, ‘type’ => ‘netflow’ },
    ‘peer1’ => { ‘port’ => ‘9996’, ‘IP’ => ‘172.16.17.18’ },
    ‘peer2’ => { ‘port’ => ‘9996’, ‘IP’ => ‘172.16.17.19’ },
    );
    There is no explanation what ‘IP’ is and where/why it is mention in there! Any chance you can expand on this?

    Cheers,
    ak.

Leave a Reply

Your email address will not be published. Required fields are marked *