NetFlow Monitor - Install

CONFIGURING THE ROUTER

First on Cisco box enable Cisco Express Forwarding:
router(config)# ip cef
router(config)# ip cef distributed
and turn on flow accounting for each input interface with the interface command:
interface FastEthernet3
 ip route-cache flow

interface Serial3/1
 ip route-cache flow

...

Now, verify that the router (or switch) is generating flow stats. Try command 'show ip cache flow'. Note that for routers with distributed switching (GSR's, 75XX's) the RP cli will only show flows that made it up to the RP. To see flows on the individual linecards use the 'attach' or 'if-con' command and issue the 'sh ip ca fl' on each LC.

IP packet size distribution (36242M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .002 .340 .084 .021 .020 .012 .009 .009 .008 .007 .006 .007 .004 .003 .004

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .002 .004 .035 .077 .338 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  4139 active, 61397 inactive, 712344771 added
  871670181 ager polls, 0 flow alloc failures
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet     1572735      0.3        58   127     21.4      27.0      14.8
TCP-FTP        6193502      1.4        24   746     35.3       3.6       9.0
TCP-FTPD       1458042      0.3      1534   833    520.9      42.4       4.2
TCP-WWW       93403998     21.7        19   633    432.9       4.9       6.3
TCP-SMTP      16123540      3.7        15   431     59.1       3.4       6.4
TCP-X           687228      0.1       238   276     38.1      20.8      14.3
TCP-BGP        1116819      0.2         3    45      0.7       5.3      16.0
TCP-NNTP       1455156      0.3      1102   176    373.4     106.1      11.9
TCP-Frag          3244      0.0         4   636      0.0       2.8      16.3
TCP-other    188162587     43.8       118   733   5204.5      11.1       6.9
UDP-DNS       38042100      8.8         3    84     27.3       3.8      16.4
UDP-NTP       18760129      4.3         1    76      5.3       1.3      16.3
UDP-TFTP           665      0.0         4    76      0.0       7.9      16.4
UDP-Frag         13111      0.0      2121  1108      6.4     366.8      13.5
UDP-other    195556237     45.5        35   343   1632.5       5.8      16.3
ICMP         149285440     34.7         2    64     72.9       0.9      16.5
IGMP             15315      0.0       167    32      0.5    1660.6       3.9
IPINIP           15112      0.0        35    52      0.1     275.3      14.2
GRE             127489      0.0         3   109      0.1      16.9      16.1
IP-other        348604      0.0        56   447      4.5      21.5      16.2
Total:       712341053    165.8        50   620   8436.8       6.2      12.2

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
AT4/0.1       128.146.225.194 AT1/0.2       128.194.203.23  06 0019 2CAF    15 
AT2/0.10      129.22.250.148  AT1/0.2       129.2.226.43    06 04BA 1A20  1266 
AT2/0.11      130.108.110.48  AT1/0.2       170.140.89.100  06 0923 10A3   436 
AT1/0.2       170.140.89.100  AT2/0.11      130.108.110.48  06 10A3 0923   462 

! Enable the exports of flows with the global commands
router(config)# ip flow-export version 5 origin-as
router(config)# ip flow-export 10.0.0.2 2000

! Create a loopback interface if one does not exist
!
router(config)# interface Loopback0
  ip address 10.0.0.1 255.255.255.255

!
! Configure NetFlow export source address
!
router(config)#ip flow-export source Loopback0
If you have tcpdump installed on or near the host you're using to capture flows, the exports can be verified.
netflow:~# tcpdump -n udp port 2000
tcpdump: listening on eth0
12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.962551 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.975115 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.984444 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:29.993956 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.003252 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.015483 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.024852 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.034182 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.043545 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168
12:11:30.053239 10.0.0.1.1868 > 10.0.0.2.2000: udp 1168

SETTING UP NETFLOW COLLECTOR

After installation of NetFlow Collector, edit file /etc/netflow/nfc.conf In this file you can specify, NetFlow Collector Unit Id, this id must correspond with id created by NetFlow Web tool (see installation of NetFlow Web and installation of mysql database). This id is unique for one computing unit ~ one computer. In one unit can run more collectors (one collector ~ at least one netflow export source / router). Unit ID is under section [Main]. In config file there's another section [Database]. You can specify, database name (default nf), hostname (default localhost), username (default root), password, etc ... If you run all-in-one (NetFlow Collector, NetFlow Web and database in one box, you needn't modify anything in the file /etc/netflow/nfc.conf All other parameters are setup by web interface ...

Now, it is all, you can try run collector by typing
netflow:~#/etc/init.d/nfc start

Now it's good time to check syslog for any errors ...
netflow:~#less /var/log/syslog

Enjoy it ... ;o)