Analyzing flows with NfSen, nfdump, fprobe, netflow5/9 and IPFIX...all of this is open source.
Hi friends,
let's go with another musical recommendation...Wish You Were Here, Pink Floyd (1975). After this gem, the level of the publication will plummet and descend like the self-esteem of a developer after the release of ChatGPT X, ha, ha, ha, it's a joke and it's funny because it's a little bit true...
In the previous post, I provided an introduction to NetFlow and some open-source tools, giving a high-level overview of how I implemented it in my home network. In this new post, I will demonstrate the process of deploying tools such as Nfdump and NfSen, as well as how to configure Linux (using fprobe for NetFlow v5/7) or Mikrotik (using IPFIX) devices to send traffic statistics to our collector.
NFDUMP
Nfdump is a software tool used for analyzing and collecting network flow data. Nfdump collects network flow data such as source and destination IP addresses, ports, protocols, and traffic volumes, and stores them in log files. These log files can be processed later to obtain information about network traffic, such as total data volumes transmitted, communication patterns, top sources or destinations of traffic, and other relevant details.
NFDUMP-Install
https://github.com/phaag/nfdump
git clone https://github.com/phaag/nfdump.gi cd nfdump ./configure --enable-nfprofile --enable-sflow --enable-nfpcapd --enable-maxmind -enable-nsel --enable-nftrack --enable-readpcap make make installt
NFSEN
NfSen is a web-based graphical interface and analysis tool for NetFlow data. It provides a user-friendly way to visualize and analyze network flow data collected from devices. NfSen is built on top of Nfdump, which is responsible for the actual collection and storage of the NetFlow data. NfSen enables users to monitor network performance, identify traffic patterns, detect anomalies, and investigate security incidents. NfSen also supports historical data analysis, allowing users to analyze flow data from past periods.
NFSEN-Install
https://github.com/phaag/nfsen
This is version 1.3.9 of NfSen. It is a compatibility version for new nfdump-1.7.x. NfSen 1.3.9 works with nfdump 1.6.20 and later as well with nfdump-1.7.x...With this update, nfsen-1.3.9 is php 8.1 ready.
git clone https://github.com/phaag/nfsen.gi cd nfsen cp etc/nfsen-dist.conf etc/nfsen.conf # Configure nfsen.conf with the parameters corresponding to your environment, then proceed with the installation: ./install.pl etc/nfsen.conft
Implement basic hygiene in web access
Personally, I like to have secure access to all my services, regardless of whether they are for internal use or not. NfSen is no exception. Well, here is an dirty extract of the apache site:
<VirtualHost *:10443
ServerName intelnuc-station-1.home.arpa
DocumentRoot /var/www
SSLEngine on
SSLCertificateFile /etc/apache2/certs/intelnuc-station-1.home.arpa.crt
SSLCertificateKeyFile /etc/apache2/certs/intelnuc-station-1.home.arpa.key
<Directory /var/www/nfsen>
AuthName "Restricted Content"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldaps://raspberrypi-station-1.home.arpa/dc=xxxx,dc=yyyy?uid?sub?(objectClass=*)
Require ldap-user operations
Options -Indexes +FollowSymlinks
AllowOverride None
</Directory>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>>
FPROBE
fprobe is a software tool in Linux used for collecting network traffic data and generating NetFlow records. It functions as a probe that captures network packets and exports flow information to a NetFlow collector or analyzer. When installed on a Linux system, fprobe acts as a packet capturing module that monitors network interfaces and captures packets. It then processes the captured packets and generates NetFlow records based on the observed network flows. These NetFlow records contain information such as source and destination IP addresses, ports, protocols, packet counts, and byte counts. fprobe can be configured to capture traffic on specific network interfaces or all interfaces, depending on the requirements.
FPROBE-Install
fprobe can be installed from the repositories of each distribution, in case it is not available, you can download the source code and compile it.
In the case of debian OS the basic configuration of fprobe can be done in the file /etc/default/fprobe:
# fprobe default configuration fil INTERFACE="any" FLOW_COLLECTOR="192.168.0.9:9996" #fprobe can't distinguish IP packet from other (e.g. ARP) OTHER_ARGS="-fip"e
Network Infrastructure
Network devices such as routers, switches, firewalls, etc... are also capable of sending traffic statistics to a collector. In this case, I will show how I have configured my MikroTik router. Essentially, traffic statistics, routed (L3) and switched (L2), will be sent to the collector using IPFIX.
Mikrotik Config:
/ip/traffic-flow> print enabled: yes interfaces: all cache-entries: 32k active-flow-timeout: 30m inactive-flow-timeout: 15s packet-sampling: no sampling-interval: 0 sampling-space: 0 /ip/traffic-flow/target> print Columns: SRC-ADDRESS, DST-ADDRESS, PORT, VERSION # SRC-ADDRESS DST-ADDRESS PORT VERSION 0 192.168.0.1 192.168.0.9 9995 ipfix /interface/bridge/settings> print use-ip-firewall: yes use-ip-firewall-for-vlan: yes use-ip-firewall-for-pppoe: no allow-fast-path: yes bridge-fast-path-active: no bridge-fast-path-packets: 0 bridge-fast-path-bytes: 0 bridge-fast-forward-packets: 0 bridge-fast-forward-bytes: 0
After configuring all devices, the "thing" would look like this:
You may have noticed that traffic statistics can be duplicated. Why capture traffic statistics both on the source equipment and on the infrastructure equipment that routes the traffic? The answer is simple: because I am very HEMBRA/MACHO...ha,ha,ha...
NfSen: Analyzing traffic
Once the collector is installed, the analyzer is configured, and the sources are properly set up, we can begin traffic analysis. To do this, we access NfSen, in our case, via HTTPS and authenticate using domain credentials... because we are fucking professionals!
Let's assume we want to analyze traffic statistics within a specific time range, for example, between 22:00 and 23:00 on July 2nd. The first step is to configure the time selection. With this simple action, we can already observe fascinating information grouped by flows, packets, and traffic. All this data is accessible based on the configured sources.
In the "Netflow Processing" section, we have the ability to define the analysis in detail. For instance, let's assume we want to analyze the traffic information specifically from the "rtr01" source. Of course, we can select multiple sources as well. Once the sources are chosen, we have two general options: listing flows and creating flow statistics. You can switch between these two options by clicking on the respective button. Depending on your selection, the panel will automatically adjust to display all available options.
There are multiple interesting preconfigured Netflow processing options, you can find detailed description here: NfSen - Netflow Processing
Another interesting tool that we can use is the filter option. The filter syntax is similar to the well known pcap library used by tcpdump. The filter can span several lines. Anything after a '#' is treated as a comment and ignored to the end of the line. There is virtually no limit in length of the filter expression. All keywords are case independent, unless otherwise noted. For a complete filter syntax see the nfdump(1) man page.
Any filter consists of one or more expressions expr. Any number of expr can be linked together.
For example, if we want to analyze the traffic switched by router rtr01 to the Internet during the same time window:
As mentioned in the previous post, the analysis can be semi-automated. It's important to remember that NfSen operates through queries using nfdump. Therefore, you only need to create and schedule the execution of these queries. In my case, I have developed Python scripts for remote query execution and utilize Nagios to schedule the execution of these scripts. This approach enables managed execution.
For instance, in my home network, all devices are required to pass through a proxy to access the internet. To ensure proper functioning, I have programmed query executions that analyze the flows handled by the router "rtr01". If any device other than the proxy attempts to communicate with public networks, the output of the scripts (plugins in Nagios) will trigger an alarm. Here's an example:
Conclusion
Using Nfdump and NfSen offers significant benefits from an operational and cybersecurity standpoint, providing network monitoring, traffic analysis, threat detection, forensic investigation, performance optimization, and the ability to integrate with other security tools. These combined capabilities help strengthen a security posture and ensure a more secure and efficient network.
Documentation
https://github.com/phaag/nfdump
https://nfdump.sourceforge.net
https://github.com/phaag/nfsen
https://meetings.ripe.net/ripe-50/presentations/ripe50-plenary-tue-nfsen-nfdump.pdf
CCIE (In progress), CCNP, CCNA-DevNet, CCNA
10moThanks for amazing blog... really interesting,, will need to lab this up,,