How To Install Fprobe
Instructions on how to install fprobe on Ubuntu 12.04 (Precise Pangolin) using command-line. Instructions on how to install fprobe-ulog on Ubuntu 16.04 (Xenial Xerus) using command-line. Try to install fprobe manually. Code: Select all yum install -y wget libpcap-devel gcc flex byacc bison make cd /tmp wget -O fprobe-1.1.tar.bz2 'http://downloads.
Details This article assumes you have Fprobe installed on a Linux box and are attempting to send flows to NTA. Fprobe can be downloaded from most repositories or here: You need to run two processes, one for in and one for out. These are designed for high load: /usr/local/fprobe/sbin/fprobe -x1:2 -ieth1 -B4096 -r2 -q10000 -t0000 -a 1.1.1.1 2.2.2.2:2055 /usr/local/fprobe/sbin/fprobe -x2:1 -ieth1 -B4096 -r2 -q10000 -t0000 -a 1.1.1.1 2.2.2.2:2055 Explanation: 1.1.1.1 = Source IP 2.2.2.2 = NetFlow collector IP (This should be the NTA IP) 2055 = Collector port X1:2 = InPackets X2:1 = OutPackets.
Backplot (Added 20 August 2012) I'm using this configuration to monitor the uplinks (both to the internet and for TLS links to our partners) for a small hosting company. According to nfsen, we pass in the order of 8 TB of traffic internet monthly, and 35TB of traffic with our partners monthly. The current nfsen system is a Sun V60x system with 2GB of memory and mirrored 72GB Ultra-320 disks running CentOS 5.x.
How To Install Ffprobe Nuix
It only performs netflow (and netflow accounting) tasks. I keep 80GB of flows, and that is about a month of data. The vast majority of it (77GB currently) is the internet traffic rather than the partner traffic, but that's due to the nature of the traffic (both internet and partner).
How To Install Ffprobe
Our primary goal with this tool was to provide some accounting as to which of our customer's IPs were transferring how much with the internet. This information is collected through some perl scripts (currently unreleased because they are very ugly) and presented through dynamically generated graphs. However we have found that keeping the flows around are good for forensic investigations regarding abnormal traffic; we've been able to confirm hacked systems through traffic patterns as well as show customer some undesired behavior by showing them the relevant flow data. Also, you really want to read the whole thing - including the parts about CentOS 5 - before proceeding. Installing a fprobe/nfsen configuration on CentOS 4 (13 May 2009) Configure your network: For this to work you need a smart switch that can mirror/clone traffic from one port to another, a computer to act as the flow generator, and a computer to act as the nfsen station.
In practice this means you will be mirroring the traffic you are interested in to a port to be connected to the monitoring station. I like to dedicate an interface on the monitoring station for this purpose; depending on your switch this might be mandatory as some switches will not let a system transmit through a switch set to 'monitoring/mirroring' mode. (Note that 3Com used to call this mode 'RMON Roving Port Analysis'. Maybe they still do.) Usually when doing pilots, the flow generating computer is the same as the nfsen computer. Note that if your firewall/router is suitably advanced, you may be able to generate netflows internally from the device and therefore skip the fprobe steps completely. This is all left as an exercise for the reader.
Download: For the purposes of this example I am using:. 1.1. 1.5.8.
1.3 Install Prerequisites These are available from rpmforge. $ sudo /usr/sbin/service httpd restart Make it all reasonably available You'll want to ensure that the following things start on boot:. fprobe. nfsen.
httpd Enjoy your netflows Point your browser at the system where you installed nfsen and start playing. If you get ugly messages about not being able to initialize globals (among other problems) then you almost certainly have selinux running (turn it off). Either that or you skipped the directory ownership/permissions step above. A Brief Word About VLANs If you are using VLANs on the wire you are sniffing, it depends on the switch type as to whether or not you need to get fancy. When I was hooked up to a 3Com 4900, a single fprobe instance attached to the interface read all VLANs correctly; when the 4900 was replaced by a Dell 3548, the single fprobe instance only read the outbound traffic and didn't read any of the inbound traffic.
I had to create un-addressed interfaces for each VLAN and then run a separate fprobe instance for each interface (with an associated separate probe on the nfsen collector too). Vconfig add eth2 2024 ifconfig eth2.2024 up fprobe -f'ip' -i eth2.2024 -e 120 -q 10240 172.30.0.159:997 vconfig add eth2 2045 ifconfig eth2.2045 up fprobe -f'ip' -i eth2.2045 -e 120 -q 10240 172.30.0.159:996 Update: 2 June 2010 Notes about CentOS 5 Quasi-upgrade/new installation: my nfsen system has small, full disks. Instead of migrating the installation from a small disk to a large one, I decided to build a new system, copy the current data (plus assorted other things I've done with the historical data) to the new system, and go. Of course things are not so straight forward. Nfsen has been updated to 1.3.3. I cannot get 1.3.3 to install, it complains about 'docs' not being a valid directory.
Interestingly the 1.3.2 tar file is much larger than the 1.3.3 file was. Nfdump has been updated to 1.6.x.
The format of the netflow files has changed and by default 1.6.1 won't read 1.5.x dump files. If you have some 1.5.x netflow files around you might want to read, you have to configure nfdump as so. #./configure -enable-compat15 -enable-nfprofile If you are getting rrdtool and friends from rpmforge, beware that rpmforge has upgraded their latest available rrdtool to be 1.4.x (for EL 5.x anyways); nfsen won't deal with anything higher than the 1.3.x stream. I went to the rpmforge repo site in my web browser (which for me was ) and downloaded the versions I had been running on my older system, which were:. perl-rrdtool-1.2.30-1.el5.rf.i386.rpm. rrdtool-1.2.30-1.el5.rf.i386.rpm.
rrdtool-devel-1.2.30-1.el5.rf.i386.rpm.