[CentOS] netflow colelction and analysis

Sun Dec 6 22:53:42 UTC 2009
Ray Van Dolson <rayvd at bludgeon.org>

On Sun, Dec 06, 2009 at 11:48:45PM +0100, Timo Schoeler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> thus Alan McKay spake:
> > On Sun, Dec 6, 2009 at 4:39 PM, Joseph L. Casale
> > <JCasale at activenetwerx.com> wrote:
> >> Anyone got a reco on a package that can collect netflow data and accept user defined queries
> >> for specific data, like what an ip did every hour for some said interval?
> > 
> > well, collecting is pretty easy of course - tcpdump.
> > And you can load the files into wireshark to query.
> > 
> > Though it is probably not just what you want.
> > 
> > In my  old job I set up a sniffer appliance which basically ran
> > tcpdump on any interface except the main interface, and logged it all
> > in circular log files of a certain size.  And the directory where
> > these were kept were served out via the web server so that anyone
> > could surf to the box and grab log files to look at.
> > 
> > You may also want to have a look at what ntop can do these days - it
> > has been a few years since i've looked at it.
> > 
> > But of course this all assumes the traffic is visible to your CentOS
> > box.  For my sniffer appliance the way to deploy it was that all the
> > other NICs except the main one got plugged into a mirror port on the
> > switch, which mirrored the particular PC we wanted to sniff.  In our
> > case this was fine because we only monitored our product which was a
> > VOIP appliance we were developing.
> > 
> > Alternately, running this on your router will pick up most of what you
> > want - but obviously not local LAN traffic
> 
> Well, netflow is the appropriate technology for this:
> 
> http://en.wikipedia.org/wiki/Netflow
> 
> Unfortunately, I don't know a solution for the thread starters question
> out of my head, so this was just for clarifying what we're talking
> about... ;)
> 
> Timo

OP wants nfdump[1].  Great tool.  The web front-end is called nfsen and is
a separate package.

Ray

[1] http://nfdump.sourceforge.net/