Down in the nfdumps

Last time, I wrote about using samplicator to share netflow sources with multiple destinations in cases where the netflow source will only allow a single host–i.e., a Cisco router. The problem is that I really didn’t write much about what to actually do with all of that data, and chances are, you’d like some pretty pictures/graphs of it to amaze and delight your friends. At the very least, you’d probably like to have something to show someone else what you’ve been wasting all your time on.

So, let me introduce you to the dazzling combo, nfdump/nfsen–yes, I wrote dazzling. Nfsen, as you may have read, is a graphical interface for all the data nfdump collects, so you’ll see those pictures you wanted, and you’ll also have the ability to query the nfdump data to look at specific flows. Pretty cool stuff for $0, eh?

I’m not going to go through all of the install process, since there are plenty of guides already out there, but I will provide a few links for problems I had to overcome to get everything looking and behaving like it should:

Be aware that if you have a lot of data coming in, you’ll definitely need considerable storage. But, hey, what if you don’t have a lot of storage to give? You can size the profiles you create to never exceed a certain size!nfsen_live_profile

Other than general awareness, the big driver for this data was to verify that the QoS configurations we’d deployed were, in fact, getting marked correctly. nfdump collects those markings, so filtering on them with nfsen is pretty easy, as long as you understand the conversions between DSCP/TOS/CoS/AF–the nfsen Netflow Processing filters want the ToS value. You can see that I even hand-edited nfsen’s html to include a link to the chart I found.nfsen_flow_processing

One last cool nfdump-y, nfsen-y thing for this article is porttracker which can give you device-to-switchport correlation, much like you might find with CiscoWorks. Though it works great, the big problem for me was that it created a lot of data and I had limited storage. After a relatively short time, I had to disable the plugin, which was easy enough to do.

2 Comments

  1. fakename November 26, 2014 9:49 am 

    How did you add the tos column to nfsen?

  2. Ross Eison December 3, 2014 8:52 pm 

    Hmmm…it’s been such a long time, but I really don’t remember doing anything to show it. Just had to include it in my search filter.

Leave a Reply