This blog post is for network experimenters who want to export flow records from an Ubuntu Linux host bridging multiple network segments. Such a network might look like this:
An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is recorded as flow records.
Flow records can be useful for various applications. Here is an example flow record:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 -> 10.1.1.1:22 100 4600 1
Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes per flow.
NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX.
In this tutorial we use pmacct, a free and open source set of passive network monitoring tools primarily developed by Paolo Lucente. Pmacct originally stood for “Promiscuous mode IP Accounting”, but now has other features too. In this blog post we’re only covering how to use pmacct as a NetFlow/IPFIX exporter.
We assume that you already have a free unused Ubuntu server with multiple NICs (physical or virtual) running a recent release and access to the command line. We’re going to make changes to it, so it does need to be a box that you don’t care about, and you should have physical access to it so you can reconfigure it if you lose remote connectivity.
Start by ensuring Ubuntu is up-to-date:
sudo apt-get update sudo apt-get upgrade
Set up Bridging
Install bridge utils:
sudo apt-get update sudo apt-get install bridge-utils
Configure bridging in the /etc/network/interfaces file. The exact configuration will depend on your interfaces. Here is an example that bridges interfaces eth0 and eth1, and assigns them with an IP address:
# IMPORTANT! ADJUST TO SUIT YOUR HARDWARE AND NETWORK!!! # # The loopback network interface auto lo iface lo inet loopback # Bridge for pmacct NetFlow/IPFIX collector: auto br0 iface br0 inet static bridge_ports eth0 eth1 address 192.168.1.21 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 188.8.131.52
Double check that iptables is configured correctly.
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
The FORWARD chain should be set to ACCEPT.
If you happen to have Docker installed, note that Docker sets the FORWARD chain to DROP. If this is the case you’ll either need to fix it (which Docker overwrites on reboot) or remove Docker. It can be temporarily fixed when needed by running (beware: may be security implications, could break Docker too):
sudo iptables -P FORWARD ACCEPT
To enable forwarding, edit /etc/sysctl.conf:
sudo vi /etc/sysctl.conf
Uncomment (remove the leading #) in this line:
To be safe, you’re probably going to want to reboot the server at this point.
We need libpcap for packet capture into pmacct:
sudo apt-get update sudo apt-get install libpcap-dev
Now we install the pmacct project. Create src directory off your home directory:
cd mkdir src
cd src wget http://www.pmacct.net/pmacct-1.7.1.tar.gz tar xvfz pmacct-1.7.1.tar.gz cd ~/src/pmacct-1.7.1 ./configure make sudo make install
Create directory for pmacct config file:
mkdir ~/pmacct cd ~/pmacct vi pmacctd.conf
Paste this config in (updating IP etc as appropriate):
daemonize: true #daemonize: false interface: br0 aggregate: src_host, dst_host, src_port, dst_port, proto, tos plugins: nfprobe nfprobe_receiver: 192.168.1.30:9995 ! Do IPFIX: nfprobe_version: 10 nfprobe_timeouts: tcp=30:maxlife=60
sudo pmacctd -f ~/pmacct/pmacctd.conf
Check if pmacct is Running
If pmacct is configured to run as a daemon, you’ll need to check if processes are running. You should see a couple of pmacctd processes:
$ ps -ef | grep pmacct root 2835 1 0 20:26 ? 00:00:00 pmacctd: Core Process [default] root 2836 2835 0 20:26 ? 00:00:00 pmacctd: Netflow Probe Plugin [default_nfprobe] user1 2838 2798 0 20:26 pts/5 00:00:00 grep --color=auto pmacct
Congratulations, you now have a working NetFlow/IPFIX exporter. Check out the Collecting NetFlow post for how to build a NetFlow/IPFIX collector to receive the flow records.