Last time, I wrote about using samplicator to share netflow sources with multiple destinations in cases where the netflow source will only allow a single host–i.e., a Cisco router. The problem is that I really didn’t write much about what to actually do with all of that data, and chances are, you’d like some pretty pictures/graphs of it to amaze and delight your friends. At the very least, you’d probably like to have something to show someone else what you’ve been wasting all your time on.
So, let me introduce you to the dazzling combo, nfdump/nfsen–yes, I wrote dazzling. Nfsen, as you may have read, is a graphical interface for all the data nfdump collects, so you’ll see those pictures you wanted, and you’ll also have the ability to query the nfdump data to look at specific flows. Pretty cool stuff for $0, eh?
I’m not going to go through all of the install process, since there are plenty of guides already out there, but I will provide a few links for problems I had to overcome to get everything looking and behaving like it should:
- Fix problems with the icons nfsen uses not displaying
- How to find an interface index number on a Cisco router
- How to separate inbound and outbound data in a single graph
Be aware that if you have a lot of data coming in, you’ll definitely need considerable storage. But, hey, what if you don’t have a lot of storage to give? You can size the profiles you create to never exceed a certain size!
Other than general awareness, the big driver for this data was to verify that the QoS configurations we’d deployed were, in fact, getting marked correctly. nfdump collects those markings, so filtering on them with nfsen is pretty easy, as long as you understand the conversions between DSCP/TOS/CoS/AF–the nfsen Netflow Processing filters want the ToS value. You can see that I even hand-edited nfsen’s html to include a link to the chart I found.
One last cool nfdump-y, nfsen-y thing for this article is porttracker which can give you device-to-switchport correlation, much like you might find with CiscoWorks. Though it works great, the big problem for me was that it created a lot of data and I had limited storage. After a relatively short time, I had to disable the plugin, which was easy enough to do.