Installing and using Nfsen

Nfsen is an open-source Netflow collector and analyzer that displays statistics in a web interface in the form of graphs.

Using the example, I will install Nfsen in Ubuntu Server 16.04.
Before installing Nfsen, Nfdump must be installed, for example, as I described in the article:
Installing and using Nfdump

We also install the necessary components:

sudo add-apt-repository universe
sudo apt-get install apache2 php libapache2-mod-php librrds-perl librrdp-perl librrd-dev libmailtools-perl build-essential autoconf rrdtool

Download Nfsen https://sourceforge.net/projects/nfsen/ and unpack:

mkdir /srv/nfsen
cd /srv/nfsen
tar xzfv nfsen-1.3.8.tar.gz

Create a configuration file and open it in a text editor:

cd nfsen-1.3.8/etc
cp nfsen-dist.conf nfsen.conf
nano nfsen.conf

For example, in Ubuntu Server 16.04, I changed the following (apach2 and nginx work by default from the www-data user):

$BASEDIR = "/srv/nfsen";
$PREFIX  = '/usr/bin';
$USER    = "www-data";
$WWWUSER  = "www-data";
$WWWGROUP = "www-data";

%sources = (
    'upstream1'    => { 'port' => '555', 'col' => '#0000ff', 'type' => 'netflow' },
);

Run the nfsen installation script:

cd ..
./install.pl ./etc/nfsen.conf

Run nfsen:

/srv/nfsen/bin/nfsen start

If you need to run nfsen on port 2055/udp, and it was taken by default by nfdump (by the nfcapd process), then stop it before running nfsen:

systemctl is-enabled nfdump
systemctl stop nfdump
netstat -anpl | grep 2055
kill -9 PID_NUMBER
netstat -anpl | grep nfcapd

In the configuration, I specified upstream1 with port 555, so after running nsfsen it will automatically start nfcapd on port 555 and will write data to the /srv/nfsen/profiles-data/live/upstream1/ directory.

To autostart at the start of the operating system, execute the following commands:

ln -s /srv/nfsen/bin/nfsen /etc/init.d/nfsen
update-rc.d nfsen defaults 20

It remains to configure the web server or just create a symbolic link in the www directory (after that you can open nfsen in a browser, for example http://ixnfo.com/nfsen/nfsen.php):

ln -s /srv/nfsen/www/ /var/www/html/nfsen
ln -s /var/www/nfsen/ /var/www/html/nfsen

After editing the configuration, for example, when you need to add or change sources, we will do:

cd /srv/nfsen/bin
./nfsen reconfig

After some time, the data should appear on the graphs, also through tcpdump you can see if the data comes from the sensor:

tcpdump port 555 -e -n

Make sure that nfsen starts when the operating system starts:

systemctl is-enabled nfsen
systemctl is-enabled nfdump
systemctl enable nfsen
systemctl status nfsen

If flow-tools is installed in the operating system, you can disable it like this:

systemctl is-enabled flow-capture
systemctl disable flow-capture
systemctl status flow-capture
systemctl stop flow-capture

In the php.ini file, be sure to specify the correct time zone, for example:

date.timezone = Europe/Kiev

Join the Conversation

1 Comment

Leave a Reply

  1. Hi, I have this problem

    root@vm11:/srv/nfsen/nfsen-1.3.8# ./install.pl ./etc/nfsen.conf
    Can’t locate Socket6.pm in @INC (you may need to install the Socket6 module) (@INC contains: ./libexec ./installer-items /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at ./install.pl line 643.
    BEGIN failed–compilation aborted at ./install.pl line 643.
    root@vm11:/srv/nfsen/nfsen-1.3.8#