|
|
This chapter contains platform and system requirements and instructions for installing and setting up the NetFlow FlowCollector application, FlowCollector. For information about how to customize data collection, see the chapter entitled, "Configuring the NetFlow FlowCollector."
This section contains information about platforms supported and disk space requirements. You may need a dedicated system; this section helps you determine whether you do or not.
The FlowCollector is available for the following platforms:
The FlowCollector requires approximately 750 KB of disk space for its binary, configuration, and log files. The amount of disk space required depends on how you configure the application to run on your workstation. You control how much and what type of data to collect. The memory requirement varies with the flow arrival rate and collection interval and with the number of aggregation schemes specified.
The FlowCollector application generates output data files of aggregated data. These files require additional disk space, the exact amount depending on the number of aggregation schemes selected and the maximum disk space allowed for each.
Table 2-1 shows an example of some aggregation schemes with their file sizes and arrival rate.
| Aggregation Scheme | Aggregation Period | Output File Size | Flows per Second |
|---|---|---|---|
| DestNode | 10 minutes | 240 KB | 12.5 |
| HostMatrix | 10 minutes | 1.2 MB | 12.5 |
| HostMatrix | 2 minutes | 200 KB | 12.5 |
| DetailInterface | 5 minutes | 950 KB | 12.5 |
| DetailHostMatrix | 5 minutes | 3.8 MB | 30 |
| DetailHostMatrix | 10 minutes | 15.6 MB | 30 |
You should verify the available disk space on your workstation before installing the FlowCollector application.
If the average throughput on a NetFlow enabled router is 150 kpps and the average number of packets per flow is 100, you may have approximately 1500 flow records per second to be exported by the router. This will result in 50 (1500/30) NetFlow export datagrams per second or 75 KB
(30 x 1500 bytes/datagram) per second.
You can estimate the amount of user data protocol (UDP) traffic that a router generates when NetFlow Data Export is enabled. To do this you must understand the characteristics of the traffic in your network, including the average packets per second of switching throughput and the average number of packets per flow.
For example, if the average throughput on a NetFlow enabled router interface is 150 kpps and the average number of packets per flow is 20, you may have approximately 7500 flow records per second. You should expect approximately 250 NetFlow export datagrams per second (7500 flows/
30 per export datagram) or approximately 375 KB/second of flow export traffic (250 x
1500 bytes/datagram) from the router.
The FlowCollector application for Solaris and HP-UX platforms is available on CD-ROM. The recommended amount of free disk space is 2 GB.
Use the following installation procedures after installing the FlowCollector software package.
Step 1 Log in as root.
Step 2 After copying the NFC1_0.SOL.tar file from the CD to a locally mounted directory, you must untar the file.
Step 3 Run the installation script to begin the preinstallation process. Answer all questions.
Answer yes to this last question if you have previously installed a package named CSCOnfc.
The script removes installed packages, verifies package dependencies, processes package information, and removes path names where required.
Select the packages you wish to process (the default is all).
Installation of <CSCOnfc> was successful
Enter a new location and name for the log file, then press Return to continue.
Enter a location and name for the daemon log file, then press Return to continue.
Step 1 Log in as root.
Step 2 After copying the NFC1_0.HP_10.tar file from the CD to a locally mounted directory, you must untar the file.
Step 3 Run the installation script to begin the preinstallation process. Answer all questions.
Enter a new location and name for the log file, then press Return to continue.
Enter a location and name for the daemon log file, then press Return to continue.
The output of the install session is saved in ./nfc_install.log.
Figure 2-1 shows the FlowCollector directory structure after installation.
You must set the following environment variables:
NFC_DIR = /opt/CSCOnfc and NFC_RESOURCEFILE = $NFC_DIR/config/nf.resources
The nf.resources file is located in $/NFC_DIR/config. Unless you have customized changes that must be made during installation, there is no need to change the nf.resources file. Edit your .cshrc or .profile file to set environment variables NFC_DIR and NFC_RESOURCEFILE.
setenv NFC_BIN /opt/CSCOnfc setenv NFC_RESOURCESFILE $NFC_DIR/config/nf.resources
NFC_DIR=/opt/CSCOnfc; export NFC_DIR NFC_RESOURCESFILE=$NFC_DIR/config/nf.resources; export NFC_RESOURCESFILE
The nf.resources file contains the variables and corresponding directory file path names for configuring your environment (see Table 2-2). The nf.resources file also includes parameters for performance tuning and output file format (see Table 2-3). You must edit the nf.resources file to specify the path names to the files listed.
| Variable | Default File |
|---|---|
| NFC_CONFIGFILE | nfconfig.file |
| NFC_KNOWNPROTOCOLS | nfknown.protocols |
| NFC_KNOWNSRCPORTS | nfknown.srcports |
| NFC_KNOWNDSTPORTS | nfknown.dstports |
| NFC_LOG | nfc.log |
| NFCD_LOG | nfcd.log |
The following configuration files define the variables discussed in Table 2-3.
The nfconfig.file (located in $NFC_DIR/config/nfconfig.file) contains definitions of the desired aggregation tasks performed on the data collected. These tasks, defined in terms of threads and filters, tell the FlowCollector how to collect and aggregate the incoming NetFlow export data. Each aggregation task must have a thread defined for it.
If the FlowCollector application does not have write permission to the root directory specified by a DataSetPath attribute, it uses $NFC_DIR as the root directory for the output files of aggregated data. The FlowCollector application supports multiple aggregation tasks simultaneously.
The nfknown.protocols file (located in $NFC_DIR/config/nfknown.protocols) contains protocol definitions for use in the aggregation schemes. These definitions are also used for protocol filters. You edit this file to add/remove protocols. The FlowCollector scans this file and maintains a list of protocols it finds. The FlowCollector searches the defined protocols in the order they are defined in nfknown.protocols. In order to increase performance of the software, put the most often used protocols at the beginning of the file.
The nfknown.srcports file (located in $NFC_DIR/config/nfknown.srcports) contains source port numbers used in the SourcePort aggregation scheme (or other aggregation scheme using source port numbers as part of its key). Traffic from other source ports is considered as Others. You can edit the nfknown.srcports file. The port numbers are specified as individual items or ranges. For example:
1, 24 6000
A range includes boundaries; in the above example 1 and 24 are included.
The nfknown.dstports file (located in $NFC_DIR/config/nfknown.dstports) contains destination port numbers used in the DestPort aggregation scheme (or other aggregation scheme using destination port numbers as part of its key). The file format is the same as that for nfknown.srcports.
To set workstation variables, you must edit the nf.resources file to use the available configuration parameters. Table 2-3 shows the available parameters, their values, and a description of each.
| Flag | Default Value | Value | Description |
|---|---|---|---|
| OUTPUT_DOTTEDADDRESS | Yes | Yes No | Writes the IP address to the output files in dotted decimal format, for example, A.B.C.D. Writes the IP address to the output files in network address format, for example, 255.255.255.255. |
| LONG_OUTPUTFILE_SUFFIX | No | Yes No | Sets the output file extension to add the year, month, and date to the hour and minute, for example, _YYYY_MM_DD.HHMM suffix. Sets the output file extension to add HH.MM. |
| DEVICE_DOTTEDADDRESS | Yes | Yes No | Uses sender router's IP address for storage. Attempts to get DNS name first. |
| GMT_FLAG | Yes | Yes No | Uses the GMT reference. Uses local time. |
| CSV_FORMAT | No | Yes No | Uses CSV in writing aggregation output. Uses a vertical bar ( | ) as the delimiter. |
Due to the high volume of the NetFlow data export traffic, it may be necessary to increase the normal buffer size associated with the UDP socket on which data is received. To do so, edit the value of the SOCKET_BUFSIZE parameter in the $NFC_DIR/config/nf.resources file.
Before you run the FlowCollector, you must set the environment variables. To run the FlowCollector, use the following procedure:
Step 1 Log in as root.
Step 2 Start the FlowCollector application.
To stop the FlowCollector application, enter nfcollector stop all.
The FlowCollector runs as three sets of processes:
1. NFCollector (for collection and aggregation)
2. NFCD (allows the user interface access to the FlowCollector)
3. NFUI (interface for the end user)
The user can use NFUI to talk to a local or remote FlowCollector. By default, NFCD and NFUI are configured to communicate locally. If you plan to access the FlowCollector from a non-local workstation, NFCD must be started to listen on a unused non-reserved UDP port. To do so, you must edit the nfcollector script and replace the line
NFC_BIN/NFCD&
with the following line
NFC_BIN/NFCD <udp port>&
|
|