Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_components:utilities:oldutility:nfsen:nfsen_ext:nfsen_full_netflow [2023/09/12 09:41] – removed - external edit (Unknown date) 127.0.0.1
+++ en:dpi:dpi_components:utilities:oldutility:nfsen:nfsen_ext:nfsen_full_netflow [2024/09/26 15:29] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+====== Making reports by IP ======
+{{indexmenu_n>3}}
+. First, add the new data receiver to nfsen configuration:
+<code>
+vi /usr/local/nfsen/etc/nfsen.conf
+%sources = (
+'protocols' => { 'port' => '9997', 'col' => '#00ff00', 'type' => 'netflow' },
+'directions' => { 'port' => '9998', 'col' => '#ffff00', 'type' => 'netflow' },
+'full' => { 'port' => '9999', 'col' => '#114422', 'type' => 'netflow' }
+);
+</code>
+. Second, activate configuration changes:
+<code>
+/usr/local/nfsen/bin/nfsen reconfig
+</code>
+. Enable receiving UDP to port 9999 in iptables:
+<code>
+vi /etc/sysconfig/iptables
+-A INPUT -m state --state NEW -m udp -p udp --dport 9999 -j ACCEPT
+service iptables restart
+</code>
+. Activate sending the full netflow on DPI:
+<code>
+vi /etc/dpi/fastdpi.conf
+netflow=11
+netflow_full_collector=127.0.0.1:9999
+netflow_passive_timeout=20
+netflow_active_timeout=60
+service fastdpi restart
+</code>
+nfsen is not the best tool to study the full netflow. However, it allows to build simple reports (check the page Netflow Processing: for example, top by IP).
+Full netflow sends the original port number by default. Therefore the report by protocols does not work. In order to activate coding of the protocol's information in a port number you have to activate configuration parameter netflow_full_port_swap=1

Profile

Settings

Differences