NetFlow/IPFIX Exporting with pmacct

This blog post is for network experimenters who want to export flow records from an Ubuntu Linux host bridging multiple network segments. Such a network might look like this:

pmacct_diagram

An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is recorded as flow records.

Flow records can be useful for various applications. Here is an example flow record:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2018-08-04 21:31:34.518     0.000 TCP      10.1.1.19:52465 ->          10.1.1.1:22            100     4600     1

 

Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes per flow.

NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX.

In this tutorial we use pmacct[1], a free and open source set of passive network monitoring tools primarily developed by Paolo Lucente.  Pmacct originally stood for “Promiscuous mode IP Accounting”[2], but now has other features too. In this blog post we’re only covering how to use pmacct as a NetFlow/IPFIX exporter.

We assume that you already have a free unused Ubuntu server with multiple NICs (physical or virtual) running a recent release and access to the command line. We’re going to make changes to it, so it does need to be a box that you don’t care about, and you should have physical access to it so you can reconfigure it if you lose remote connectivity.

Pre-Work

Start by ensuring Ubuntu is up-to-date:

sudo apt-get update
sudo apt-get upgrade

 

Set up Bridging

Install bridge utils:

sudo apt-get update
sudo apt-get install bridge-utils

 

Configure Bridging

Configure bridging in the /etc/network/interfaces file. The exact configuration will depend on your interfaces. Here is an example that bridges interfaces eth0 and eth1, and assigns them with an IP address:

# IMPORTANT! ADJUST TO SUIT YOUR HARDWARE AND NETWORK!!!
#
# The loopback network interface
auto lo
iface lo inet loopback

# Bridge for pmacct NetFlow/IPFIX collector:
auto br0
iface br0 inet static
  bridge_ports eth0 eth1
  address 192.168.1.21
  netmask 255.255.255.0
  gateway 192.168.1.1
  dns-nameservers 8.8.8.8

 

Check iptables

Double check that iptables is configured correctly.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The FORWARD chain should be set to ACCEPT.

If you happen to have Docker installed, note that Docker sets the FORWARD chain to DROP. If this is the case you’ll either need to fix it (which Docker overwrites on reboot) or remove Docker. It can be temporarily fixed when needed by running (beware: may be security implications, could break Docker too):

sudo iptables -P FORWARD ACCEPT

 

Enable forwarding

To enable forwarding, edit /etc/sysctl.conf:

sudo vi /etc/sysctl.conf

Uncomment (remove the leading #) in this line:

#net.ipv4.ip_forward=1

To be safe, you’re probably going to want to reboot the server at this point.

 

Install libpcap

We need libpcap for packet capture into pmacct:

sudo apt-get update
sudo apt-get install libpcap-dev

 

Install pmacct

Now we install the pmacct project. Create src directory off your home directory:

cd
mkdir src

Downloaded latest version of pmacct (check in http://www.pmacct.net/#downloads, it is currently http://www.pmacct.net/pmacct-1.7.1.tar.gz ) into ~/src/

cd src

wget http://www.pmacct.net/pmacct-1.7.1.tar.gz

tar xvfz pmacct-1.7.1.tar.gz

cd ~/src/pmacct-1.7.1

./configure

make

sudo make install

 

Configure pmacct

Create directory for pmacct config file:

mkdir ~/pmacct
cd ~/pmacct
vi pmacctd.conf

Paste this config in (updating IP etc as appropriate):

daemonize: true
#daemonize: false
interface: br0
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe
nfprobe_receiver: 192.168.1.30:9995
! Do IPFIX:
nfprobe_version: 10
nfprobe_timeouts: tcp=30:maxlife=60

 

Run pmacct

sudo pmacctd -f ~/pmacct/pmacctd.conf

 

Check if pmacct is Running

If pmacct is configured to run as a daemon, you’ll need to check if processes are running. You should see a couple of pmacctd processes:

$ ps -ef | grep pmacct
root      2835     1  0 20:26 ?        00:00:00 pmacctd: Core Process [default]
root      2836  2835  0 20:26 ?        00:00:00 pmacctd: Netflow Probe Plugin [default_nfprobe]
user1       2838  2798  0 20:26 pts/5    00:00:00 grep --color=auto pmacct

 

Congratulations, you now have a working NetFlow/IPFIX exporter. Check out the Collecting NetFlow post for how to build a NetFlow/IPFIX collector to receive the flow records.

[1] See: http://www.pmacct.net/

[2] Source: http://wiki.pmacct.net/OfficialFAQs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s