Wednesday, June 18, 2014

Webview Netflow Reporter

Geesh things change quickly in IT.

I was blown away by Webview Netflow Reporter four weeks ago but I have found that it has issues with actually displaying interfaces that are receiving flows visible in the GUI.

The good news is that there is an even better pair of open source netflow collection and reporting tools called nfDump and NfSen that work together to collect netflow data, display whatever you wish to see in a GUI and supports alerting as well.

We've just run it up at work and it has now replaced our commercial platform from Fluke.

Read more about nfSen in this post.

Need a netflow reporting platform but got no budget?
Problem solved!

This product will collect, draw and drill down on conversations to help you determine what traffic is using your expensive WAN links.

To get started, you'll need to build yourself a Linux box of VM, enable the LAN interface etc. and make sure you've got a working internet connection.

First, grab yourself a download link for a copy of Webview Netflow Reporter from

Substitute the link where the brackets are on the line below and copy and paste down to but not including the validation steps section (this script is an updated copy of that provided at

wget (get link to 1.0.7d)

cd ~

gunzip -c wvnetflow-1.07d.tar.gz | tar -xf -
cd ~/wvnetflow-1.07d

yum --assumeyes install rsyslog gcc byacc libtool make patch zlib-devel httpd rrdtool-perl perl-GD perl-Net-DNS

wget -O - --no-check-certificate | perl - --self-upgrade

cpanm Net::SNMP Spreadsheet::WriteExcel Net::Patricia

cd ~/wvnetflow-1.07d

gunzip -c cweinhold-flowd-sequence.tar.gz | tar -xf -
cd cweinhold-flowd-sequence
make install
mkdir -p /var/empty/dev
groupadd _flowd
useradd -g _flowd -c "flowd privsep" -d /var/empty _flowd

cd ~/wvnetflow-1.07d

bzcat flow-tools- | tar -xf -
cd flow-tools-
patch -p1 <../optional-accessories/flow-tools-patches/patch.flow-tools.scan-and-hash
CC='gcc -fPIC' ./configure
make install

cd lib

ln -s /usr/local/flow-tools/lib/libft.a libft.a
cd ../contrib
gunzip -c Cflow-1.053.tar.gz | tar -xf -
cd Cflow-1.053
perl Makefile.PL
make test
make install

sed -i.bak -e '/GLOBAL DIRECTIVES/i $AddUnixListenSocket /var/empty/dev/log\n' /etc/rsyslog.conf

cat <<EOT >/etc/rsyslog.d/40-flowd.conf

\$umask 0000
\$FileCreateMode 0644

:programname, isequal, "flowd" /var/log/flowd

:programname, isequal, "flowd" ~

chcon -t etc_t /etc/init.d/rsyslog

service rsyslog restart

cd ~/wvnetflow-1.07d

mkdir -p /opt/netflow/tmp /opt/netflow/data /opt/netflow/cache /opt/netflow/capture /usr/local/webview
cp -Rp flowage www utils /usr/local/webview
cp etc/webview.conf /etc
chmod 777 /usr/local/webview/www/flow/graphs

chcon -t httpd_sys_script_exec_t /usr/local/webview/www/flow/*.cgi

cp etc/flowd-2055.conf /usr/local/etc/

cp etc/init.d/flowd-centos /etc/init.d/flowd
chmod 755 /etc/init.d/flowd
ln -s /etc/init.d/flowd /etc/init.d/flowd-2055
chkconfig --add flowd-2055
service flowd-2055 start

iptables -I INPUT -p udp --dport 2055 -j ACCEPT

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save

crontab -l > /tmp/newcron

cat <<EOT >>/tmp/newcron

0 * * * * /usr/local/webview/utils/flow-expire-perl -E 10G -e 9000 -w /opt/netflow/capture/2055

*/5 * * * * /usr/local/webview/utils/flowd2ft 2055 >> /var/log/flowd2ft-2055.log 2>&1

#*/5 * * * * perl /usr/local/webview/flowage/ > /tmp/flowage.stdout 2> /tmp/flowage.stderr

0 0 * * * find /opt/netflow/capture -name 'summary-*' -mtime +14 -exec rm -f {} \;

0  2 * * * find /opt/netflow/capture -name '*.rrd' -mtime +30 -exec rm -f {} \;

15 2 * * * find /opt/netflow/capture -depth -type d -empty -exec rmdir {} \;

#*/15 * * * * /usr/local/webview/flowage/monitor/ >> /var/log/monFlows.log 2>&1

0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flow-expire.log /var/log/flow-expire.old

0 0 1 * * /usr/local/bin/sudo mv -f /var/log/flowd2ft-2055.log /var/log/flowd2ft-2055.old
0 0 1 * * /usr/local/bin/sudo mv -f /var/log/monFlows.log /var/log/monFlows.old
crontab /tmp/newcron

sed -i.bak -e'/UserDir: The name/ i\

Alias /webview "/usr/local/webview/www"\
<Directory /usr/local/webview/www>\
    Options Indexes Includes FollowSymLinks ExecCGI\
    order allow,deny\
    SetEnv no-gzip 1\
    allow from all\
AddHandler cgi-script .cgi\
' /etc/httpd/conf/httpd.conf

service httpd restart

####### validation steps ########

#Edit: /usr/local/webview/flowage/flowage.cfg

#to set SNMP Read String

# If running CentOS, disable SELinux

# check if flowd is running

ps -fC flowd 

# check that flows are being received

ls -lR /dev/shm/

# check that flow files are being moved to the capture directory

ls -lR /opt/netflow/capture/

# view iptables rule list -- make sure port 2055 is seeing traffic

iptables -L INPUT -v

# make sure web server is running

service httpd status

# once you're sure you have flow data in the capture directory, run one of the web scripts

wget -O - ''

# if that looks works (you see some IP addresses in the output), run flowage once from the CLI


# if that looks good (you see flow files being processed and rrd files be created), then uncomment

# the */5 and */15 flowage crontab entrys and you're all set!
# nano /tmp/newcron

No comments:

Post a Comment