bit of a newbie question(s) #44
Comments
|
Hi Ken, I will try to help you as much as possible, though I'm not an expert neither. Understood that you are new to nfsen. Are you familiar with NetFlow ? If not, maybe start reading the wikipedia page https://en.wikipedia.org/wiki/NetFlow Based on what you can read on the wikipedia page, you could imagine "nfsen-ng" as the web "Analysis application". It is actually web-based visualizer that uses nfdump which is the real analysis application. nfsen-ng has nothing to do with the exporter part nor the collector part. The exporter could be a network device (software or hardware) and the collector in our case is "nfcapd" from "nfdump" suite. To sum up, "nfsen-ng" will work only if you have collected data with your collector (nfcapd) which will collect data only if you have configured an exporter correctly. My first question is : did you configure an exporter ? If you let the collector run without sending data to it, you will have no data to use. Please post a tree output of your "/var/nfdump/profiles-data/live/bachman" with : What is the output of "cli.php" if you run it without arguments ? Do you get output if you run nfdump with YOUR_FILE being a nfcapd file in that directory Thanks for your advice concerning the netflow user. Actually this is not covered here as this is part of the data collection which is accomplished with nfcapd from the nfdump suite and should probably be explained there. In any case, it is a good idea and if we manage to find a time slot with @mbolli we will implement some features, correct some bugs and work on the wiki to cover that part too. Currently we are overloaded with our respective jobs but the motivation to keep working on this project does exist ;-) Looking forward to get your feedback and further help you |
|
Hi Dona, Well not so much of newbie …. I’ve been working with Netflow for quite a number of years now … here are your requests …
root@Netflow:/var/www/html/nfsen-ng/backend# ./cli.php
root@Netflow:/var/www/html/nfsen-ng/backend#
root@Netflow:/var/www/html/nfsen-ng/backend# nfdump -I -M bachman -r /var/nfdump/profiles-data/live/bachman/2020/03/27/00/nfcapd.202003270000
Can't stat 'bachman': No such file or directory
Ident: fortinet
Flows: 0
Flows_tcp: 0
Flows_udp: 0
Flows_icmp: 0
Flows_other: 0
Packets: 0
Packets_tcp: 0
Packets_udp: 0
Packets_icmp: 0
Packets_other: 0
Bytes: 0
Bytes_tcp: 0
Bytes_udp: 0
Bytes_icmp: 0
Bytes_other: 0
First: 1585292400
Last: 1585292700
msec_first: 0
msec_last: 0
Sequence failures: 0
root@Netflow:~# tree -h /var/nfdump/profiles-data/live/bachman
/var/nfdump/profiles-data/live/bachman
├── [4.0K] 2020
│ └── [4.0K] 03
│ ├── [4.0K] 26
│ │ └── [4.0K] 23
│ │ ├── [ 276] nfcapd.202003262330
│ │ ├── [ 276] nfcapd.202003262335
│ │ ├── [ 276] nfcapd.202003262340
│ │ ├── [ 276] nfcapd.202003262345
│ │ ├── [ 276] nfcapd.202003262350
│ │ └── [ 276] nfcapd.202003262355
│ └── [4.0K] 27
│ ├── [4.0K] 00
│ │ ├── [ 276] nfcapd.202003270000
│ │ ├── [ 276] nfcapd.202003270005
│ │ ├── [ 276] nfcapd.202003270010
│ │ ├── [ 276] nfcapd.202003270015
│ │ ├── [ 276] nfcapd.202003270020
│ │ ├── [ 276] nfcapd.202003270025
│ │ ├── [ 276] nfcapd.202003270030
│ │ ├── [ 276] nfcapd.202003270035
│ │ ├── [ 276] nfcapd.202003270040
│ │ ├── [ 276] nfcapd.202003270045
│ │ ├── [ 276] nfcapd.202003270050
│ │ └── [ 276] nfcapd.202003270055
│ ├── [4.0K] 01
│ │ ├── [ 276] nfcapd.202003270100
│ │ ├── [ 276] nfcapd.202003270105
│ │ ├── [ 276] nfcapd.202003270110
│ │ ├── [ 276] nfcapd.202003270115
│ │ ├── [ 276] nfcapd.202003270120
│ │ ├── [ 276] nfcapd.202003270125
│ │ ├── [ 276] nfcapd.202003270130
│ │ ├── [ 276] nfcapd.202003270135
│ │ ├── [ 276] nfcapd.202003270140
│ │ ├── [ 276] nfcapd.202003270145
│ │ ├── [ 276] nfcapd.202003270150
│ │ └── [ 276] nfcapd.202003270155
|
|
Hi Ken, Based on your feedback, it seems that many things are not working and should be fixed. Below some observed points which might further help you : Without having any idea about your infrastructure, I would do the following in this situation : Let's start with that |
|
Hi Dona,
In this comment #1 it says that nfsen-ng can only process the LIVE profile so if that’s incorrect then that needs to be changed, or corrected, or removed ….
The files are not empty as seen here
4.0K nfcapd.202003271135 4.0K nfcapd.202003280955 40K nfcapd.202003290815 4.0K nfcapd.202003300635
4.0K nfcapd.202003271140 4.0K nfcapd.202003281000 40K nfcapd.202003290820 4.0K nfcapd.202003300640
4.0K nfcapd.202003271145 4.0K nfcapd.202003281005 40K nfcapd.202003290825 4.0K nfcapd.202003300645
4.0K nfcapd.202003271150
I’ve moved the flow data from my Fortinet Firewall and nprobe onto another system and this is the output of tcpdump on that system, so I think flows are there….
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
04:17:48.537676 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:17:48.537709 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:17:50.068457 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:17:55.068445 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:17:58.068495 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:03.556830 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:18:03.556852 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:18:08.068472 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:11.068421 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:11.068443 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:11.068447 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:14.068381 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:18.068521 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
04:18:18.575519 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:18:18.575539 IP 10.0.1.1.3370 > 10.0.1.14.xribs: NetFlow v9
04:18:20.068496 IP 10.0.1.10.59715 > 10.0.1.14.xribs: NetFlow v9
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel
The system I have nfsen-ng on is
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
Anything else ….
Ken
|
|
Hi Ken, The comment you referred to is correct and does not need any correction. You are using the live profile already (seen in your path -> /var/nfdump/profiles-data/live/bachman). If the files were not empty, your tree output would look like this (see my truncated output below). Instead of that, your tree output shows [276] in front of each file which corresponds to empty nfcapd files. root@nfsen-ng: tree -h /var/nfsen/profiles-data/live/source1/2020/03 Additionally, running the nfdump command would give you data if your files were not empty (see below example from my machine), which is much different from what you posted above. root@nfsen-ng: nfdump -I -M source1 -r /var/nfsen/profiles-data/live/source1/2020/03/31/nfcapd.202003311345 Therefore, you have have issues with your collector. Check the nfdump (and related nfcapd) github page (https://github.com/phaag/nfdump) to have a working instance, as nfsen-ng will work only once these tools are setup correctly |
|
Hi,
So I think there where a couple of problems, one was not following the instructions correctly and it really needs to have /settings/settings.php … plus i think there was a permissions issue with .. in one of the directories …. here’s nfdump of one of the files now
root@Netflow:/var/www/html/nfsen-ng/backend# nfdump -I -r /var/nfdump/profiles-data/live/fortinet/2020/04/01/13/nfcapd.202004011340
Ident: fortinet
Flows: 260
Flows_tcp: 52
Flows_udp: 206
Flows_icmp: 2
Flows_other: 0
Packets: 151600
Packets_tcp: 108080
Packets_udp: 43360
Packets_icmp: 160
Packets_other: 0
Bytes: 111046400
Bytes_tcp: 98996000
Bytes_udp: 12023520
Bytes_icmp: 26880
Bytes_other: 0
First: 1585771708
Last: 1585773858
msec_first: 120
msec_last: 770
Sequence failures: 0
Now on ./cli.php I get
root@Netflow:/var/www/html/nfsen-ng/backend# ./cli.php
2020-04-01 14:34:20 Fatal: Please install the PECL rrd library.
But when I do a pecl install rrd i get
root@Netflow:/var/www/html/nfsen-ng/backend# pecl install rrd
pecl/rrd is already installed and is the same as the released version 2.0.1
install failed
Any hints ??
thanks
Ken
… On Mar 31, 2020, at 5:23 AM, Dona21 ***@***.***> wrote:
Hi Ken,
The comment you referred to is correct and does not need any correction. You are using the live profile already (seen in your path -> /var/nfdump/profiles-data/live/bachman).
If the files were not empty, your tree output would look like this (see my truncated output below). Instead of that, your tree output shows [276] in front of each file which corresponds to empty nfcapd files.
***@***.***: tree -h /var/nfsen/profiles-data/live/source1/2020/03
.
├── [ 11K] 01
│ ├── [ 18K] nfcapd.202003010000
│ ├── [ 17K] nfcapd.202003010005
│ ├── [ 15K] nfcapd.202003010010
│ ├── [ 18K] nfcapd.202003010015
│ ├── [ 15K] nfcapd.202003010020
│ ├── [ 16K] nfcapd.202003010025
│ ├── [ 18K] nfcapd.202003010030
│ ├── [ 18K] nfcapd.202003010035
│ ├── [ 15K] nfcapd.202003010040
│ ├── [ 16K] nfcapd.202003010045
│ ├── [ 14K] nfcapd.202003010050
│ ├── [ 16K] nfcapd.202003010055
Additionally, running the nfdump command would give you data if your files were not empty (see below example from my machine), which is much different from what you posted above.
***@***.***: nfdump -I -M source1 -r /var/nfsen/profiles-data/live/source1/2020/03/31/nfcapd.202003311345
Can't stat 'source1': No such file or directory
Ident: source1
Flows: 1116
Flows_tcp: 12
Flows_udp: 446
Flows_icmp: 71
Flows_other: 587
Packets: 2319
Packets_tcp: 651
Packets_udp: 850
Packets_icmp: 90
Packets_other: 728
Bytes: 451861
Bytes_tcp: 128992
Bytes_udp: 206805
Bytes_icmp: 9546
Bytes_other: 106518
First: 1585655034
Last: 1585655395
msec_first: 444
msec_last: 130
Sequence failures: 132
Therefore, you have have issues with your collector. Check the nfdump (and related nfcapd) github page (https://github.com/phaag/nfdump <https://github.com/phaag/nfdump>) to have a working instance, as nfsen-ng will work only once these tools are setup correctly
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO64CPCZUCKHZM7VVVBWM5DRKHOFZANCNFSM4LVG4AFQ>.
|
|
Hi Ken, Glad to hear that you managed to have the collector working. The profiles-data folder structure however is still wrong (by wrong I mean not compatible with nfsen-ng). nfsen-ng expects the profiles-data folder structure to be The captured data in your case is Based on your first comment this should be easily fixed by changing your lower case "-s" parameter to upper case "-S" this : becomes that : Concerning the message you are getting when executing cli.php, could you post the content of this file /etc/php/7.2/mods-available/rrd.ini |
|
Hi Dona,
thanks I have fixed my nfcapd to have the -S
and the contents of
root@Netflow:/var/www/html/nfsen-ng/backend# cat /etc/php/7.2/mods-available/rrd.ini
add extension=rrd.so
phpenmod rrd
thanks
Ken
… On Apr 2, 2020, at 11:53 PM, Dona21 ***@***.***> wrote:
/etc/php/7.2/mods-available/rrd.ini
|
|
Hi Ken, the contents of rrd.ini should only be enjoy your weekend! |
|
Ah, ok thanks
fixed rrd.ini and ran phpenmod rrd and restarted apache2
still get
root@Netflow:/var/www/html/nfsen-ng/backend# phpenmod rrd
root@Netflow:/var/www/html/nfsen-ng/backend# service apache2 restart
root@Netflow:/var/www/html/nfsen-ng/backend# ./cli.php
2020-04-03 07:38:49 Fatal: Please install the PECL rrd library.
root@Netflow:/var/www/html/nfsen-ng/backend#
… On Apr 3, 2020, at 7:32 AM, Michael Bolli ***@***.***> wrote:
Hi Ken,
the contents of rrd.ini should only be extension=rrd.so.
and phpenmod rrd is a command to execute in the terminal.
Don't forget to service apache2 restart after the command above.
enjoy your weekend!
Michael
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO64CPA7732CTIYULCZOCOTRKXXPPANCNFSM4LVG4AFQ>.
|
|
Hmm that's weird.
|
|
root@Netflow:/var/www/html/nfsen-ng/backend# ls /etc/php/7.2/cli/conf.d/
10-opcache.ini 20-calendar.ini 20-exif.ini 20-gettext.ini 20-phar.ini 20-rrd.ini 20-sockets.ini 20-sysvshm.ini 20-xmlreader.ini
10-pdo.ini 20-ctype.ini 20-fileinfo.ini 20-iconv.ini 20-posix.ini 20-shmop.ini 20-sysvmsg.ini 20-tokenizer.ini 20-xmlwriter.ini
15-xml.ini 20-dom.ini 20-ftp.ini 20-json.ini 20-readline.ini 20-simplexml.ini 20-sysvsem.ini 20-wddx.ini 20-xsl.ini
root@Netflow:/var/www/html/nfsen-ng/backend# cat /etc/php/7.2/cli/conf.d/20-rrd.ini
add extension=rrd.so
root@Netflow:/var/www/html/nfsen-ng/backend# ls /etc/php/7.2/apache2/conf.d/
10-opcache.ini 20-calendar.ini 20-exif.ini 20-gettext.ini 20-phar.ini 20-rrd.ini 20-sockets.ini 20-sysvshm.ini 20-xmlreader.ini
10-pdo.ini 20-ctype.ini 20-fileinfo.ini 20-iconv.ini 20-posix.ini 20-shmop.ini 20-sysvmsg.ini 20-tokenizer.ini 20-xmlwriter.ini
15-xml.ini 20-dom.ini 20-ftp.ini 20-json.ini 20-readline.ini 20-simplexml.ini 20-sysvsem.ini 20-wddx.ini 20-xsl.ini
root@Netflow:/var/www/html/nfsen-ng/backend# cat /etc/php/7.2/apache2/conf.d/20-rrd.ini
add extension=rrd.so
root@Netflow:/var/www/html/nfsen-ng/backend#
… On Apr 3, 2020, at 7:48 AM, Michael Bolli ***@***.***> wrote:
Hmm that's weird.
Can you confirm that there's a file 20-rrd.ini (or similar) in both of these folders:
/etc/php/7.2/cli/conf.d
/etc/php/7.2/apache2/conf.d
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO64CPC4HS5I3EPBQBXQTHLRKXZM7ANCNFSM4LVG4AFQ>.
|
|
What about |
|
root@Netflow:/var/www/html/nfsen-ng/backend# php -i | grep rrd
/etc/php/7.2/cli/conf.d/20-rrd.ini,
root@Netflow:/var/www/html/nfsen-ng/backend#
… On Apr 3, 2020, at 8:25 AM, Michael Bolli ***@***.***> wrote:
What about php -i | grep rrd ?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO64CPHGATFHLLJPI3XZ4S3RKX5X3ANCNFSM4LVG4AFQ>.
|
|
Ok so the php rrd module is definitely not loaded (at least for cli profile) mbolli@newdev:/var/www$ php -i | grep rrd
/etc/php/7.2/cli/conf.d/20-rrd.ini,
rrd
rrd tool module => enabled
rrd tool module version => 2.0.1
rrdtool library version => 1.7.0There lies the culprit, but I don't know how to help from here... You got to somehow enable the rrd module (for cli and apache2 profiles). |
|
Hi Ken, Your *rrd.ini files are wrong. This particular issue should be fixed then. |
|
Ah, ok got it …. maybe for the less intuitive people the Installation should read
cd /etc/php/7.2/mods-available && vim rrd.ini # add the line extension=rrd.so
So everything came up
Next question, if I copy the files from the YYYY/MM/DD/HR up a level to YYYY/MM/DD/ will nfsen pick up that data ??
thanks
Ken
… On Apr 3, 2020, at 9:33 AM, Dona21 ***@***.***> wrote:
Hi Ken,
Your *rrd.ini files are wrong.
If you cat the files the output should be extension=rrd.so instead of add extension=rrd.so.
Modify the files accordingly and then restart apache webesrver with systemctl restart apache2
This particular issue should be fixed then.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AO64CPGC5DFNA6HT7EZYH4DRKYFXHANCNFSM4LVG4AFQ>.
|
|
I would personally delete the content directory content and start everything in a clean manner now that you know how to have a running instance. However, if for any reason you prefer to keep the data, it might be better to move the data rather than make a copy. In order to avoid other people having the same issue, I will slightly change the instructions to make it less error prone. I think your issue is solved, please consider closing it. Have a good weekend |
|
root@nfdump:/var/nfdump/profiles-data/live/ExportFlow# tree -h |
|
Hi @pra838 Referring to this answer you will notice that your tree output shows [276] in front of each file which corresponds to empty nfcapd files. Therefore it is normal that no graphs are available because you have no data collected. You should have your nfcapd collector up, running and working/configured correctly before using nfsen-ng. Cheers |
Hi, I'm relatively new to nfsen and have gotten to a point where I stuck. Sorry if this is very basic ... Through lots of reading I have nfcapd running creating files under /var/nfdump/profiles-data/live/bachman - i started it with
nfcapd -w -D -p 2025 -u netflow -g www-data -B 200000 -s 1 -z -I bachman -l /var/nfdump/profiles-data/live/bachman
Now onto where I'm stuck ... nfcapd has been running for about 10 hours so I would expect to see lots of data ... but this is what I get when I go to the browser ....
And when I try ./cli.php status I get no response, it also says that a log should be created in /var/www/html/nfsen/backend ... but it's not - so what am i missing ??
Also in your readme, while it describes how to install nfsed-ng maybe a couple of lines on adding the netflow user and how to start nfcapd would be useful
thanks in advance
Ken
The text was updated successfully, but these errors were encountered: