使用nfsen+sflow+netflow分析网络流量

1. 前言

因为发现有一台hp交换器的负载特别高，但要找出那个IP 造成的，单以 tcpdump 分析起来会很难发现问题，因此想要利用 hp 交换机具有的 sflow功能并搭配nfsen 来分析 sflow结果，如此可以帮助我们分析网络中的流量组成，抓取实施带宽使用情况，帮我找出"hog"。

最终也让我达到目的，感谢 open source 相关组织及多位不计付出的 IT 前辈。

需求系统及软件

OS: CentOS 6.8 X64 / CentOS 7.6 X64

nginx-1.9.15.tar.gz

php-7.1.15.tar.bz2

nfdump-1.6.13.tar.gz

nfsen-1.3.7.tar.gz

1. 下载资源

http://nginx.org/download

http://nginx.org/download/nginx-1.9.15.tar.gz

http://downloads.sourceforge.net/nfsen/nfsen-1.3.7.tar.gz

http://downloads.sourceforge.net/project/nfdump

  [注]

       http://downloads.sourceforge.net/nfsen  预设下载的版本是 1.3.6p1 ，但这个版本我在centos 6.8 及7.3 都发生相同的错误，也许是运气不佳，但使用 nfsen-1.3.7.tar.gz 到是没什么问题

1. ngnix 及 php 的安装

   相关 rpm 安装

   yum -y install gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel

   yum -y install libxml2 install libxml2-devel openssl openssl-devel \

   curl curl-devel libjpeg libjpeg-devel libjpeg libjpeg-devel libpng \

   libpng-devel freetype freetype-devel pcre pcre-devel libxslt \

           libxslt-devel bzip2 bzip2-devel libxslt libxslt-devel

   [ngnix 安装]

           useradd www

tar -xvf nginx-1.9.15.tar.gz

cd nginx-1.9.15

/configure --prefix=/ap/nginx

＃＃你可以不加--prefix这这参数，这样会安装在 /usr/loca/ngnix 目录下

make && make install

           [ ngnix.conf 设定档修改 ]

1. user  www www; ##必须加上 group 否则会有 nginx: [emerg] getgrnam("www") failed in ... 错误

2. location / {

               root   html;

               index  index.php index.html index.htm;

           }

    

3. location ~ \.php$ {

   root           html;

    fastcgi_pass   127.0.0.1:9000;

fastcgi_index  index.php;

fastcgi_param  SCRIPT_FILENAME  /php$fastcgi_script_name;

      include        fastcgi_params;

           }

       [php-fpm]

              tar -xvf php-7.1.15.tar.bz2

cd php-7.1.15

./configure --prefix=/usr/local/php --with-curl --with-freetype-dir --with-gd --with-gettext \

--with-iconv-dir --with-kerberos --with-libdir=lib64 --with-libxml-dir --with-mysqli --with-openssl \

--with-pcre-regex --with-pdo-oci=instantclient,/usr/instantclient,11.2 \

--with-pdo-mysql --with-pdo-sqlite --with-pear \

--with-png-dir --with-jpeg-dir --with-xmlrpc --with-xsl --with-zlib \

--with-bz2 --with-mhash --enable-fpm --enable-bcmath --enable-libxml \

--enable-inline-optimization --enable-gd-native-ttf --enable-mbregex \

--enable-mbstring --enable-opcache --enable-pcntl --enable-shmop \

--enable-soap --enable-sockets \

--enable-sysvsem --enable-sysvshm --enable-xml --enable-zip

make && make install

cp php.ini-development /usr/local/php/lib/php.ini

cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf

cp sapi/fpm/php-fpm /usr/local/bin

cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf

[edit /usr/local/php/lib/php.ini]

cgi.fix_pathinfo=0

date.timezone = Asia/Shanghai

[edit /usr/local/php/etc/php-fpm.conf]

pid = run/php-fpm.pid

             [edit /usr/local/php/etc/php-fpm.d/www.conf ]

1. security.limit_extensions = .php .php3 .php4 .php5 .php7

1. location / {

            root   html;

            index  index.php index.html index.htm;

        }

1. location ~ \.php$ {

            root           html;

            fastcgi_pass   127.0.0.1:9000;

            fastcgi_index  index.php;

            fastcgi_param  SCRIPT_FILENAME  /php$fastcgi_script_name;

            include        fastcgi_params;

        }

       [start php & nginx]

              /usr/local/php/sbin/php-fpm

/ap/nginx/sbin/nginx

       [stop php & nginx]

              kill -INT  `cat /usr/local/php/var/run/php-fpm.pid`

##需搭配[edit /usr/local/php/etc/php-fpm.conf]

/ap/nginx/sbin/nginx -s stop

1. nfdump  及nfsen 的安装

   [相关 rpm]

   yum -y install rrdtool rrdtool-devel  libpcap-devel

   yum install perl perl-Sys-Syslog rrdtool-perl perl-Data-Dumper perl-MailTools perl-Socket6

   [nfdump 安装]

   tar -xvf nfdump-1.6.13.tar.gz

   cd nfdump-1.6.13

   ./configure --enable-nfprofile --enable-nftrack --enable-sflow \

    --enable-nfpcapd --with-rrdpath

   make && make install

   [说明] --enable-nfpcapd for netflow

   [建立帐号，目录]

   mkdir -p /data/nfsen

   useradd netflow -g www

       [错误记录]

              ##错误 configure: error: Can not link librrd configure failed!

##原因 rpm rrdtool-devel 未安装

##错误 nfpcapd.c:90:18: fatal error: pcap.h: No such file or directory

##原因 rpm libpcap-devel 未安装

##错误 nfpcapd.c:86:3: error: #error missing bpf header

make clean ; ./configure ...

       [nfsen-1.3.7 安装]

              tar -xvf nfsen-1.3.7.tar.gz

cd nfsen-1.3.7

cp etc/nfsen-dist.conf etc/nfsen.conf

[ edit etc/nfsen.conf ]

$BASEDIR= "/data/nfsen";

$HTMLDIR = "/php/nfsen";

$WWWUSER  = "www";

$WWWGROUP = "www";

$PREFIX  = '/usr/local/bin';

%sources = (

'H3C'           => { 'port' => '8603','col' => '#0000ff', 'type' => 'sflow' },

'upstream1'    => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },

 );

              [edit libexec/NfProfile.pm]

                     no strict 'refs'; #加上这一行

              [安装]

./install.pl etc/nfsen.conf

cd /php/nfsen ; cp -rp css icons js /ap/nginx/html/

[错误]

##错误 ERROR: nfsend connect() error: Permission denied!

##     ERROR: nfsend - connection failed!!

##     ERROR: Can not initialize globals!

## 实在不清楚nfsen.comm 这个档案是那个用户需要权限，怎么设定都不行，只有 chmod 666 才能正常，而且每次重斆服务的时候都要再执行一次

##解决 chmod a+rw  /data/nfsen/var/run/nfsen.comm

              [start]

                     /data/nfsen/bin/nfsen start

                     chmod a+rw  /data/nfsen/var/run/nfsen.comm

              [stop]

                     /data/nfsen/bin/nfsen start

1. 完工后的画面

   

2. HP 交换机设定 sflow 的方式

   [检查目前状态]

   coreswitch2(config)# show sFlow 1 destination

    

    SFlow Destination Information

    

     Destination Instance      : 1

     sflow                     : Disabled

     Datagrams Sent            : 0

     Destination Address       :

     Receiver Port             : 6343

     Owner                     :

     Timeout (seconds)         : 0

     Max Datagram Size         : 1400

     Datagram Version Support  : 5

     OOBM Support              : Disabled

    

    

   coreswitch2(config)# show sFlow 1 sampling

    

    SFlow Sampling Information

    

           | Sampling                    Dropped | Polling

     Port  | Enabled      Rate Header    Samples | Enabled Interval

     ----- + -------  -------- ------ ---------- + ------- --------

    

    

    

   sFlow 1 destination 10.21.2.83 8603 ##default port 6343

   sFlow 1 sampling all 500 ##开始发送封包

    

   [确认封包发送]

   coreswitch2(config)# show sFlow 1 destination

    

    SFlow Destination Information

    

     Destination Instance      : 1

     sflow                     : Enabled

     Datagrams Sent            : 168

     Destination Address       : 10.21.2.83

     Receiver Port             : 8603

     Owner                     : Administrator, CLI-Owned, Instance 1

     Timeout (seconds)         : 2147483603

     Max Datagram Size         : 1400

     Datagram Version Support  : 5

     OOBM Support              : Disabled

    

   [取消封包发送]

   no sFlow 1 destination 10.21.2.81

    

   [以 tcpdump 确认主机是否收到封包]

   tcpdump host 10.21.3.7

   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

   listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

   14:49:42.950699 IP 10.21.3.7.53504 > 10.21.2.83.8603: UDP, length 1284

    

3. CISCO netflow 如何设定

需要在支持NETFOLW功能的交换机上进行相关配置

ip flow ingress infer-fields

ip flow ingress layer2-switched

ip flow-export version 5

ip flow-export destination X.X.X.X. 9995    (要和NFSEN.CONF里面的埠号一致)

ip route-cache flow infer-fields

1. 如何操作 nfsen

   http://XXXXX/php/nfsen.php

   
   

   

2. 

3. END