NetFlow has many uses. It allows the tracking of IP flows as they are received at a Cisco router or switch. It works by collecting information about the data that passes over the device, which can then be aggregated either on the device itself or exported to NetFlow collector software running on an external machine.

NetFlow is a very useful feature of Cisco IOS providing information about:

• Network and protocol usage - eg: for accounting and billing purposes.
• Network productivity and resource usage - eg: for keeping tabs on the performance of your network.
• Impact of network changes - eg: allowing you to understand what happens when you add or remove devices to or from your network.
• Problems and security issues
• Long term compliance issues

Collecting data is only half of the story, that data only becomes useful when you can actually do something with it. So we wanted a way to enable Opsview to use the data and alert us when predefined thresholds were crossed. We achieved this by using a free collector server to import the data into a MySQL database which we could then query for specific information using a custom Nagios plugin that we intend to include in a future release of Opsview. Until then, the plugin is available on nagiosexchange

• Examines the following IP packet attributes:
  • Source and destination IP
  • Source and destination port
  • Layer 3 protocol type
  • Class of Service
  • Router or switch interface

• All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow & imported into a database of NetFlow information called the NetFlow cache.
• Information is available via the command line via 'show' commands or can be exported to a 'NetFlow Collector' server.

• Cisco NetFlow is integrated into IOS since version 11.1
• Several versions capable of exporting data are available: 5,7 & 9
• Version 5 is currently the most common.
• Version 9 is becoming an IETF standard: Internet Protocol Flow Information eXport (IPFIX).

There are a large number of NetFlow collectors including Cisco, freeware and third party commercial vendors’ products that report and utilize NetFlow data, this list is by no means comprehensive.

• Cisco NetFlow Collector - Traffic analysis - Runs on Linux & Solaris
• Cisco CS-Mars - Security monitoring - Runs on Linux

• F.L.A.V.I.O - Portable collector & grapher
• Flow-Tools - Runs on Unix
• IPFlow - Runs on Linux, BSD, Solaris
• New NetFlow Collector

• http://freshmeat.net/projects/flavio/

This documentation covers the setup of F.L.A.V.I.O and Opsview service checks for use with Cisco NetFlow

• We will not cover the configuration of NetFlow as that is already documented here
• We will not cover the setup of the Opsview server as that is already documented here

• We assume that you will be running F.L.A.V.I.O, MySQL and Opsview on the same physical server, although it is entirely possible to have MySQL running elsewhere.
• We assume the use of flavio-2.0.0
• A working Opsview server

F.L.A.V.I.O is written in perl and requires that the following perl modules be installed:

• DBI-1.21 or newer
• DBD-mysql-2.1013 or newer
• GD-1.38 or newer

• A MySQL server installed and running
  • (If you have a working Opsview server, you will already have this, so we will assume that you intend to use the same MySQL installation)

• Create a database for NetFlow

  CREATE DATABASE netflow;
  USE netflow;

• Setup a user for NetFlow

  GRANT ALL on netflow.* TO 'netflow'@'localhost' IDENTIFIED BY 'netflow';

• Create a table in the netflow database called customers:

  CREATE TABLE customers (name varchar(30), ip varchar(15), username varchar(15), password varchar(15), last_ip varchar(15), INDEX (ip));

• Add your customers into the customers table

  INSERT INTO customers values("customer1_name","ip1_address","","","");
  Repeat as required

• Download F.L.A.V.I.O from here
• Untar flavio in to a directory (I put it in to /usr/local/)

  cd /usr/local
  tar -zxvf /path/to/flavio-2.0.0.tar.gz

I will assume that you intend to use FLAVIO's NetFlow collector.

• Edit netflow_parse.pl to specify the FLAVIO collector

  my $format = "FLV";

• Set your timezone in netflow_parse.pl (0 is UK)

  my $timezone = 0;

• Specify the database name, username and password in netflow_parse.pl

  my $database = "netflow";
  my $username = "netflow"; 
  my $password = "netflow";

• Edit netflow_collector.pl to specify the IPs of the routers you want to accept flows from

  my @valid_routers = ("127.0.0.1","your.router.ip.address");

• Edit netflow_aggregate.pl to specify the database name, username and password

  my $database = "netflow";
  my $username = "netflow";
  my $password = "netflow";

• If you intend to use FLAVIO's graphing capabilities, I recommend setting the following to separate the data:

  my $diff_as = 1;
  my $diff_if = 1;

• Create a directory to store the flow files and error log

  mkdir /var/netflow/flows

• Start the NetFlow collector

  ./netflow_collector.pl 9997 /var/netflow/flows/ ./netflow_parse.pl

• Once you have received some .flw files in /var/netflow/flows run netflow_aggregate.pl to put the data into MySQL (take careful note of the YEAR MONTH DAY format - there should be extra 0's, i.e. 2009 06 05 and not 2009 6 5)

  /usr/local/flavio/netflow_aggregate.pl YEAR MONTH DAY

• When you are happy that everything is running as expected, create a cronjob as the nagios user to import NetFlow data in to MySQL

  # Run netflow_aggregate to import data into mysql
  0 1 * * * /usr/local/flavio/netflow_aggregate | date --date="yesterday" +'%Y %m %d' >> /some/where/netflow_aggregate

• To enable the plugin in Opsview, simply drop the check_netflow_database script in to /usr/local/nagios/libexec/

• Create service checks for NetFlow

Examples

• Check SNMP Traffic
  • Name: SNMP Traffic
  • Plugin: check_netflow_database
  • Arguments: -H $HOSTADDRESS$ -c 16000 -w 14000 -p 161

• Check SSH Traffic
  • Name: SSH Traffic
  • Plugin: check_netflow_database
  • Arguments: -H $HOSTADDRESS$ -c 16000 -w 14000 -p 22

• Check Telnet Traffic
  • Name: Telnet Traffic
  • Plugin: check_netflow_database
  • Arguments: -H $HOSTADDRESS$ -c 16000 -w 14000 -p 23

• Add service checks to Cisco hosts
  • Go to host configuration page
  • Select the host to configure
  • Select required service checks and click 'Submit Changes'
  • Go to Status and Reload page and click 'Reload configuration'

• For more information on configuring 'check_netflow_database' click on the 'Show plugin help' link in the service check configuration page.

• Cisco 7200, 7500 & 7600 series routers require NetFlow software license fee.

• Cisco's NetFlow Page
• NetFlow page on wikipedia
• IPFIX page on Wikipedia
• RFC for IPFIX
• Flowtools site
• IPFlow site