Nfdump is a collection of tools for collecting and processing netflow data.
To install Nfdump on Ubuntu/Debian, do:
sudo apt-get install nfdump
In CentOS:
sudo yum install nfdump
nfdump consists of:
nfcapd – get netflow network data and save it to files.
nfdump – reads netflow data from files.
nfprofile – reads netflow data from files using filters and saves the result to a file.
nfreplay – reads netflow data from files and sends them to another network node.
nfclean.pl – a script for cleaning old data.
ft2nfdump – reads and converts data.
In fact, if you install nfsen, it will launch nfcapd itself.
But for an example I’ll show how you can manually run nfcapd and see the collected data:
mkdir /tmp/nfcap-test
nfcapd -E -p 9001 -l /tmp/nfcap-test
CTRL+C
ls -l /tmp/nfcap-test
nfdump -r /tmp/nfcap-test/nfcapd.* | less
nfdump -r /tmp/nfcap-test/nfcapd.* -s srcip/bytes
You can see the running nfcapd processes with the command:
ps auxwww | grep nfcapd
I note that by default, after installation, nfcapd starts, listens on port 2055 and writes data to /var/cache/nfdump.
I will show you some more examples of viewing statistics:
nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100
nfdump -o raw -r /var/cache/nfdump/nfcapd.202001292351
nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100 'proto tcp and ( src ip
172.17.5.21 or dst ip 172.17.5.22 )'
nfdump -r /var/cache/nfdump/nfcapd.202001292351 'proto tcp and ( src ip 172.17.5.21 and dst port 80 or dst port 443 and dst ip 192.168.1.5 )'
nfdump -M /srv/nfsen/profiles-data/live/upstream1/2020/01/30:/srv/nfsen/profiles-data/live/upstream1/2020/01/30 -R nfcapd.202001300000:nfcapd.202001300455 -s record -n 20 -o extended
View all files in the specified directory:
nfdump -R /var/cache/nfdump/ 'proto tcp and (dst port 80 or dst port 443)'
You can output the results to a file, for example, for a specific IP address that visited web resources:
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5 and (dst port 80 or dst port 443)' > file.txt
If NAT IP addresses are also recorded, then grep can also filter by NAT IP:
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5 and (dst port 80 or dst port 443)' | grep "10.10.5.5" > file.txt
All TCP traffic for a specific IP address:
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5' > tcp_flows_src.txt
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and dst ip 192.168.5.5' > tcp_flows_dst.txt
You can also convert IP addresses to domains:
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5' | perl -i -p -e 'use Socket; s#(\d{1,3}(\.\d{1,3}){3})\b#gethostbyaddr(inet_aton($1), AF_INET) or sprintf($1)#egi' > 06.04.2020_all_tcp_resolved.txt
Since the nfcapd collector, you also need to configure a sensor that will transmit data to it, for example fprobe or configure netflow on some kind of switch.
Make sure nfdump starts when the operating system starts:
systemctl is-enabled nfdump
systemctl enable nfdump
systemctl status nfdump
If iptables is used, then open the port for the sensor:
iptables -A INPUT -s 192.168.5.5/32 -p udp --dport 2055 -j ACCEPT
See also my articles:
- Installing and configuring fprobe
- Installing and using ipt_NETFLOW
- Installing and using softflowd
- Installing and using flow-tools
- Configuring NetFlow on Cisco
- Installing and using Nfsen
Hi. I did the procedure, but:
operador@vm3s1bbt:~$ sudo sfcapd -E -p 6343 -l /tmp/nfcap-test
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: NEL Common block
^CFile Block Header:
NumBlocks = 0
Size = 0
id = 2
operador@vm3s1bbt:~$
operador@vm3s1bbt:~$ netstat -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
operador@vm3s1bbt:~$
operador@vm3s1bbt:~$ ps auxwww | grep sfcapd
operador 5366 0.0 0.0 6432 732 pts/1 S+ 21:49 0:00 grep –color=auto sfcapd
operador@vm3s1bbt:~$
Empty Files..
operador@vm3s1bbt:~$
operador@vm3s1bbt:~$ ls -l /tmp/nfcap-test
total 16
-rw-r–r– 1 operador operador 276 Jul 1 21:36 nfcapd.202007012136
-rw-r–r– 1 root root 276 Jul 1 21:48 nfcapd.202007012147
-rw-r–r– 1 operador operador 276 Jul 1 21:49 nfcapd.202007012149
-rw-r–r– 1 operador ope
Regards..