{"id":1223,"date":"2016-09-04T16:54:59","date_gmt":"2016-09-04T21:54:59","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=1223"},"modified":"2023-07-04T12:57:13","modified_gmt":"2023-07-04T17:57:13","slug":"edgeos-and-netflow","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2016\/09\/edgeos-and-netflow\/","title":{"rendered":"EdgeOS and Netflow"},"content":{"rendered":"\n

Update<\/strong>: Since I wrote this blog post in 2016, I’ve turned off netflow on my router. Why? Because I upgraded to gigabit fiber, and when netflow is enabled, it throttled my speed to 150 Mb\/s or so. Not good! Giving up netflow is a small price to pay for full gigabit speeds. If you do enable netflow, keep this in mind.<\/p>\n\n\n\n\n\n\n\n

I\u2019ve written a lot about getting stuff working on my Ubiquiti EdgeOS router<\/a>. Recently, I got the idea in my head to enable netflow on the router to do some traffic analysis. My router does support exporting netflow data, so I thought it would be fairly simple to set up. In the end, it wasn\u2019t too hard, but it did take some research and at least one dumb mistake.<\/p>\n\n\n\n

Setting up netflow on the router wasn\u2019t too hard at all. Below is the config I ultimately enabled:<\/p>\n\n\n\n

system {\r\n\tflow-accounting {\r\n\t\tingress-capture post-dnat\r\n\t\tinterface eth2\r\n\t\tnetflow {\r\n\t\t\tenable-egress {\r\n\t\t\t\tengine-id 2\r\n\t\t\t}\r\n\t\t\tengine-id 1\r\n\t\t\tserver 192.168.2.12 {\r\n\t\t\t\tport 2055\r\n\t\t\t}\r\n\t\t\ttimeout {\r\n\t\t\t\texpiry-interval 60\r\n\t\t\t\tflow-generic 60\r\n\t\t\t\ticmp 60\r\n\t\t\t\tmax-active-life 604800\r\n\t\t\t\ttcp-fin 60\r\n\t\t\t\ttcp-generic 60\r\n\t\t\t\ttcp-rst 60\r\n\t\t\t\tudp 60\r\n\t\t\t}\r\n\t\t\tversion 9\r\n\t\t}\r\n\tsyslog-facility daemon\r\n\t}\r\n}<\/code><\/pre>\n\n\n\n
The timeout settings are all set to 60 seconds, which is far lower than the defaults. Setting them lower will make the data less choppy, as the default generic flow has a timeout of an hour, so you may not get any data from a flow until it ends if it takes less than an hour, and then all of a sudden you see that you got a large chunk of data incoming\/outgoing. Finally, the version of netflow exported is Cisco v9.<\/p>\n\n\n\n
Although some of those settings required tweaking, particularly the post-dnat<\/span> and the timeouts, but it wasn\u2019t hard to set up at all. The first issue cropped up when it came time to find a collector for my CentOS server. The favorite on every list, ntop<\/a>, is not free, so scratch that. I then turned to pmacct<\/a>, specifically nfacctd as the collector, which I couldn\u2019t get working for reasons which will soon become obvious. Sill stymied, I turned to NFDUMP<\/a> and nfcapd, which once again would not work. I got very frustrated and set it aside for a couple of weeks, coming back to it later.<\/p>\n\n\n\n
What frustrated me was the fact that I could see data packets arriving on port 2055 on my server. Doing a trusty tcpdump in very verbose mode showed netflow data arriving, and I even pulled out RFC3954<\/a> and groveled over the UDP payloads to validate that yes, this was in fact netflow v9 data in the packets. So then why weren\u2019t any of the tools actually receiving data?<\/p>\n\n\n\n
It was at this point that the \u201cduh\u201d moment hit. IPTABLES. I have IPTABLES as a host-based firewall on the CentOS server, and of course I did not have a rule allowing udp traffic to port 2055 through. Once I did this, I started getting data via nfcapd. I learned a very important lesson: tcpdump sees traffic before IPTABLES<\/a>, so even if you see data arriving via tcpdump, that doesn\u2019t mean it is passing your firewall. D\u2019oh!<\/p>\n\n\n\n
At this point I was finally receiving data, and as readers of this blog know, once I have data, I usually want to put it into Splunk<\/a>. Tune in later for that misadventure!<\/p>\n","protected":false},"excerpt":{"rendered":"
Update: Since I wrote this blog post in 2016, I’ve turned off netflow on my router. Why? Because I upgraded to gigabit fiber, and when netflow is enabled, it throttled my speed to 150 Mb\/s or so. Not good! Giving up netflow is a small price to pay for full gigabit speeds. If you do… Continue reading EdgeOS and Netflow<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[251,280],"class_list":["post-1223","post","type-post","status-publish","format-standard","hentry","category-tech-2","tag-edgeos","tag-netflow","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1223"}],"version-history":[{"count":3,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1223\/revisions"}],"predecessor-version":[{"id":1351,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1223\/revisions\/1351"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}