NAME
Net::Netfilter::NetFlow - App to generate Cisco NetFlow from Linux
netfilter
PURPOSE
If you run a Linux based firewall, the "nfflowd" application in this
distribution will generate a stream of Cisco NetFlow logging data for
all TCP, UDP and ICMP connections passing through.
What makes this different from other solutions is that it uses Linux
netfilter's own connection tracking data, rather than observing a
traffic capture. This is more efficient for your CPU, and allows
tracking of NAT which would otherwise not be possible.
No reconfiguration of the firewall ruleset or network is required.
SYNOPSIS
Make sure you have the "conntrack" and "flow-tools" packages installed
on your Linux firewall system.
write a small configuration describing your NetFlow collector:
~# cat > /etc/nfflowd.conf
# source interface on this server
args 10.0.0.1
# netflow collector address
args 192.168.0.1
# netflow collector port number
args 65001
^D
to start the logger as a daemon:
~# nfflowd start
to specify a custom configuration other than /etc/nfflowd.conf:
~# nfflowd -c /other/config/file.ini
LIMITATIONS
* It's assumed that Source IP NAT is taking place. If not, you may
receive additional unecessary log lines, sorry. Work is planned to
change the conntrack parser to be configurable for different local
modes of operation.
* Currently only TCP, UDP and ICMP traffic is logged. Again this will
likely be improved as part of the planned changes to the conntrack
output parser.
* The tool supports only IPv4 tracking. Is there a "conntrack" for
IPv6?
DESCRIPTION
The application "nfflowd" included in this distribution is designed to
run as a daemon (background) process on a Linux based firewall running
IPtables.
Its purpose is to capture data from the Linux netfilter subsystem about
each tracked data connection passing through the firewall, and log this
in Cisco NetFlow format to a remote NetFlow collector server. We
recommend the Argus 3 software for that collector
(). With the default configuration you
will also receive a local copy of the same data via "syslog", under the
"local6" facility.
"nfflowd" was written for NAT environments where you have a requirement
to trace the IP address on the "private" side which made a particular
connection or flow to a port/destination on the "public" (Internet)
side. The NetFlow streams logged will allow you to trace back to that
private IP.
The daemon requires no reconfiguration of your firewall ruleset or
network, but you may need to install one or two additional helper
programs. These are commonly available in most Linux distributions - see
"DEPENDENCIES", below.
"nfflowd" is also efficient and accurate, as it uses Linux netfilter's
own connection logging and tracking data. This is preferable to
observing a promiscuous traffic capture, which may be CPU intensive and
certainly cannot track NAT connections.
What's special about NAT?
An issue that's specific to NAT (rather than general Netflow from a
Linux router) is that you really need a good and accurate record of the
IP and port number translation. So there are *two* traffic flows, one
before and one after the NAT. Both need logging, together with a way to
correlate them.
Traditionally such things are attempted using two instances of
"softflowd" or "argus", one each side of the NAT. With accurate
timestamping the two flows (pre and post-NAT) can be correlated and then
the IP and port translation deduced.
However this doesn't work for very long running flows, or where there
are numerous flows to a destination, some of which are legitimate and
some not. There exist cases where it is impossible to be sure that you
are correlating the correct two flow records. Seeing as netfilter is
already accurately tracking every connection, with NAT information, we
can make use of that data.
USAGE
The "nfflowd" application included in this distribution is designed to
run as a daemon (background) process. It also supports running in the
foreground. You will need to provide a small amount of configuration,
and otherwise there are sane defaults for all options.
Here is the help text for the current version of "nfflowd":
Usage: nfflowd [ -c file ] [ -f ] { start | stop | restart | install | check | help | version }
-c file Specify configuration file (instead of /etc/nfflowd.conf)
-f Run in the foreground (don't detach)
start Starts a new nfflowd if there isn't one running already
stop Stops a running nfflowd
restart Stops a running nfflowd if one is running. Starts a new one.
install Setup nfflowd to run automatically after reboot
check Check the configuration file and report the daemon state
help Display this usage info
version Display the version of nfflowd
Although the "reload" option is also available, it currently has no
effect. Please note that the "install" option has not been tested by the
author.
CONFIGURATION
At minimum you need to provide a small configuration to let "nfflowd"
know where your NetFlow collector server is. This by default can be
located at "/etc/nfflowd.conf" although you can specify an alternate
location using the "-c" command line option. The format of the file can
be anything supported by Config::Any (i.e. YAML, JSON, etc), although we
recommend using Config::General format, as in the examples below.
The required configuration is the source IP on your firewall from which
NetFlow packets are sent, and the IP/port numbers of the NetFlow
collector server:
# source interface on this server
args 10.0.0.1
# netflow collector address
args 192.168.0.1
# netflow collector port number
args 65001
These three options must appear *in the exact order given above*.
The other thing you might want to configure is whether and how a local
copy of the NetFlow data is stored on the Linux firewall itself, via
Syslog. The application uses Log::Dispatch and by default will log to
Syslog facility "local6" with priority .
Below is the default configuration, which you can override in your local
"nfflowd" configuration file, but be warned! You *must* retain the
"screen" dispatcher and configuration section, otherwise the application
will stop working. You have the option to remove, change, or add to the
"syslog" dispatcher only:
dispatchers screen
dispatchers syslog
stderr 0
class Log::Dispatch::Screen
min_level debug
class Log::Dispatch::Syslog
ident conntrack
min_level debug
facility local6
"nfflowd" records the start and end of each connection reported by
netfilter. To preserve memory, the application clears up its records of
"unfinished" connections which are older than a set TTL. This defaults
to one week, but can be changed by setting a seconds value using the
following configuration:
ttl 604800
In addition, you can control how each of the helper applications are
loaded and configured. You would generally not need to do this, but here
are the config options anyway:
progname conntrack
init_format -L
format -E -e NEW,DESTROY -o timestamp -n
progname flow-import
format -z0 -f2 -V5 -m0xFF31EF
progname flow-send
format -V5 -s %s/%s/%s
PAR Support
Simple tests have shown it should be possible to package up this
application with PAR, and ship to servers which do not have Perl and/or
the Perl module dependencies installed.
DEPENDENCIES
Other than the standard contents of a Perl 5.8 distribution, you will
need:
Conntrack Tools
Probably called "conntrack" in your Linux distribution.
* flow-tools
* Log::Dispatch::Configurator::Any version 1.0005 or later
* Daemon::Generic
* File::Slurp version 9999.06 or later
* IPC::Run
* Config::General
* Config::Any version 0.15 or later
SEE ALSO
"pfflowd" at
This is the BSD pf equivalent of this tool.
"softflowd" at
From the "pfflowd" stable, this tool requires a promiscuous traffic
capture to generate data. It is therefore not fully stateful and
cannot track NAT.
http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protocol_ho
me.html
Cisco homepage for their NetFlow technology.
THANKS
David Ford of the University of Oxford's OxCERT team provided valuable
input and testing infrastructure, many thanks.
AUTHOR
Oliver Gorwits ""
COPYRIGHT & LICENSE
Copyright (c) The University of Oxford 2009.
This library is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.