Installing and using Nfdump

Nfdump is a collection of tools for collecting and processing netflow data.

To install Nfdump on Ubuntu/Debian, do:

sudo apt-get install nfdump

In CentOS:

sudo yum install nfdump

nfdump consists of:
nfcapd – get netflow network data and save it to files.
nfdump – reads netflow data from files.
nfprofile – reads netflow data from files using filters and saves the result to a file.
nfreplay – reads netflow data from files and sends them to another network node. – a script for cleaning old data.
ft2nfdump – reads and converts data.

In fact, if you install nfsen, it will launch nfcapd itself.

But for an example I’ll show how you can manually run nfcapd and see the collected data:

mkdir /tmp/nfcap-test
nfcapd -E  -p 9001 -l /tmp/nfcap-test
ls -l /tmp/nfcap-test
nfdump -r /tmp/nfcap-test/nfcapd.* | less
nfdump -r /tmp/nfcap-test/nfcapd.* -s srcip/bytes

You can see the running nfcapd processes with the command:

ps auxwww | grep nfcapd

I note that by default, after installation, nfcapd starts, listens on port 2055 and writes data to /var/cache/nfdump.

I will show you some more examples of viewing statistics:

nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100
nfdump -o raw -r /var/cache/nfdump/nfcapd.202001292351
nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100 'proto tcp and ( src ip or dst ip )'
nfdump -r /var/cache/nfdump/nfcapd.202001292351 'proto tcp and ( src ip and dst port 80 or dst port 443 and dst ip )'
nfdump -M /srv/nfsen/profiles-data/live/upstream1/2020/01/30:/srv/nfsen/profiles-data/live/upstream1/2020/01/30 -R nfcapd.202001300000:nfcapd.202001300455 -s record -n 20 -o extended

View all files in the specified directory:

nfdump -R /var/cache/nfdump/ 'proto tcp and (dst port 80 or dst port 443)'

You can output the results to a file, for example, for a specific IP address that visited web resources:

nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip and (dst port 80 or dst port 443)' > file.txt

Since the nfcapd collector, you also need to configure a sensor that will transmit data to it, for example fprobe or configure netflow on some kind of switch.

Make sure nfdump starts when the operating system starts:

systemctl is-enabled nfdump
systemctl enable nfdump
systemctl status nfdump

If iptables is used, then open the port for the sensor:

iptables -A INPUT -s -p udp --dport 2055 -j ACCEPT

See also my articles:

Leave a comment

Leave a Reply