Installing and using Nfdump

Nfdump is a collection of tools for collecting and processing netflow data.

To install Nfdump on Ubuntu/Debian, do:

sudo apt-get install nfdump

In CentOS:

sudo yum install nfdump

nfdump consists of:
nfcapd – get netflow network data and save it to files.
nfdump – reads netflow data from files.
nfprofile – reads netflow data from files using filters and saves the result to a file.
nfreplay – reads netflow data from files and sends them to another network node.
nfclean.pl – a script for cleaning old data.
ft2nfdump – reads and converts data.

In fact, if you install nfsen, it will launch nfcapd itself.

But for an example I’ll show how you can manually run nfcapd and see the collected data:

mkdir /tmp/nfcap-test
nfcapd -E  -p 9001 -l /tmp/nfcap-test
CTRL+C
ls -l /tmp/nfcap-test
nfdump -r /tmp/nfcap-test/nfcapd.* | less
nfdump -r /tmp/nfcap-test/nfcapd.* -s srcip/bytes

You can see the running nfcapd processes with the command:

ps auxwww | grep nfcapd

I note that by default, after installation, nfcapd starts, listens on port 2055 and writes data to /var/cache/nfdump.

I will show you some more examples of viewing statistics:

nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100
nfdump -o raw -r /var/cache/nfdump/nfcapd.202001292351
nfdump -r /var/cache/nfdump/nfcapd.202001292351 -c 100 'proto tcp and ( src ip
172.17.5.21 or dst ip 172.17.5.22 )'
nfdump -r /var/cache/nfdump/nfcapd.202001292351 'proto tcp and ( src ip 172.17.5.21 and dst port 80 or dst port 443 and dst ip 192.168.1.5 )'
nfdump -M /srv/nfsen/profiles-data/live/upstream1/2020/01/30:/srv/nfsen/profiles-data/live/upstream1/2020/01/30 -R nfcapd.202001300000:nfcapd.202001300455 -s record -n 20 -o extended

View all files in the specified directory:

nfdump -R /var/cache/nfdump/ 'proto tcp and (dst port 80 or dst port 443)'

You can output the results to a file, for example, for a specific IP address that visited web resources:

nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5 and (dst port 80 or dst port 443)' > file.txt

If NAT IP addresses are also recorded, then grep can also filter by NAT IP:

nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5 and (dst port 80 or dst port 443)' | grep "10.10.5.5" > file.txt

All TCP traffic for a specific IP address:

nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5' > tcp_flows_src.txt
nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and dst ip 192.168.5.5' > tcp_flows_dst.txt

You can also convert IP addresses to domains:

nfdump -R /srv/nfsen/profiles-data/live/upstream1/2020/04/06/ 'proto tcp and src ip 192.168.5.5' | perl -i -p -e 'use Socket; s#(\d{1,3}(\.\d{1,3}){3})\b#gethostbyaddr(inet_aton($1), AF_INET) or sprintf($1)#egi' > 06.04.2020_all_tcp_resolved.txt

Since the nfcapd collector, you also need to configure a sensor that will transmit data to it, for example fprobe or configure netflow on some kind of switch.

Make sure nfdump starts when the operating system starts:

systemctl is-enabled nfdump
systemctl enable nfdump
systemctl status nfdump

If iptables is used, then open the port for the sensor:

iptables -A INPUT -s 192.168.5.5/32 -p udp --dport 2055 -j ACCEPT

See also my articles:

Join the Conversation

1 Comment

Leave a Reply

  1. Hi. I did the procedure, but:

    operador@vm3s1bbt:~$ sudo sfcapd -E -p 6343 -l /tmp/nfcap-test
    Add extension: 2 byte input/output interface index
    Add extension: 4 byte input/output interface index
    Add extension: 2 byte src/dst AS number
    Add extension: 4 byte src/dst AS number
    Add extension: 4 byte output bytes
    Add extension: 8 byte output bytes
    Add extension: NSEL Common block
    Add extension: NSEL xlate ports
    Add extension: NSEL xlate IPv4 addr
    Add extension: NSEL xlate IPv6 addr
    Add extension: NSEL ACL ingress/egress acl ID
    Add extension: NSEL username
    Add extension: NSEL max username
    Add extension: NEL Common block
    ^CFile Block Header:
    NumBlocks = 0
    Size = 0
    id = 2

    operador@vm3s1bbt:~$

    operador@vm3s1bbt:~$ netstat -u
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    operador@vm3s1bbt:~$

    operador@vm3s1bbt:~$ ps auxwww | grep sfcapd
    operador 5366 0.0 0.0 6432 732 pts/1 S+ 21:49 0:00 grep –color=auto sfcapd
    operador@vm3s1bbt:~$

    Empty Files..
    operador@vm3s1bbt:~$
    operador@vm3s1bbt:~$ ls -l /tmp/nfcap-test
    total 16
    -rw-r–r– 1 operador operador 276 Jul 1 21:36 nfcapd.202007012136
    -rw-r–r– 1 root root 276 Jul 1 21:48 nfcapd.202007012147
    -rw-r–r– 1 operador operador 276 Jul 1 21:49 nfcapd.202007012149
    -rw-r–r– 1 operador ope

    Regards..