Scribd
Upload
7 views

NetFlow_IPFIX Exporting with pmacct – Bits 'n Bytes

This would assit to setup a IPFIX exporting system

Uploaded by

R. RAJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

NetFlow_IPFIX Exporting with pmacct – Bits 'n Bytes

This would assit to setup a IPFIX exporting system

Uploaded by

R. RAJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes


Bits 'n Bytes

An I.T. Architect's Journeys with Computing

NetFlow/IPFIX Exporting with pmacct

 August 22, 2018August 25, 2018  Matt Hayes


This blog post is for network experimenters who want to export flow records from an Ubuntu Linux
host bridging multiple network segments. Such a network might look like this:

An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is
recorded as flow records.

Flow records can be useful for various applications. Here is an example flow record:

Date first seen Duration Proto Src IP Addr:Port Dst


IP Addr:Port Packets Bytes Flows
2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 ->
10.1.1.1:22 100 4600 1

https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 1/7
8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes

Flow records give a coarse-grained view of what traffic is passing over a network, including flow
source and destination addresses/protocols/ports, as well as volume information such as packets and
bytes per flow.

NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-
standard specification called IPFIX.

In this tutorial we use pmacct[1], a free and open source set of passive network monitoring tools
primarily developed by Paolo Lucente. Pmacct originally stood for “Promiscuous mode IP
Accounting”[2], but now has other features too. In this blog post we’re only covering how to use
pmacct as a NetFlow/IPFIX exporter.

We assume that you already have a free unused Ubuntu server with multiple NICs (physical or
virtual) running a recent release and access to the command line. We’re going to make changes to it,
so it does need to be a box that you don’t care about, and you should have physical access to it so
you can reconfigure it if you lose remote connectivity.

Pre-Work

Start by ensuring Ubuntu is up-to-date:

sudo apt-get update


sudo apt-get upgrade

Set up Bridging

Install bridge utils:

sudo apt-get update


sudo apt-get install bridge-utils

https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 2/7
8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes

Configure Bridging

Configure bridging in the /etc/network/interfaces file. The exact configuration will depend on your
interfaces. Here is an example that bridges interfaces eth0 and eth1, and assigns them with an IP
address:

# IMPORTANT! ADJUST TO SUIT YOUR HARDWARE AND NETWORK!!!


#
# The loopback network interface
auto lo
iface lo inet loopback

# Bridge for pmacct NetFlow/IPFIX collector:


auto br0
iface br0 inet static
bridge_ports eth0 eth1
address 192.168.1.21
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8

Check iptables

Double check that iptables is configured correctly.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)


target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)


target prot opt source destination

The FORWARD chain should be set to ACCEPT.


https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 3/7
8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes

If you happen to have Docker installed, note that Docker sets the FORWARD chain to DROP. If this is
the case you’ll either need to fix it (which Docker overwrites on reboot) or remove Docker. It can be
temporarily fixed when needed by running (beware: may be security implications, could break
Docker too):

sudo iptables -P FORWARD ACCEPT

Enable forwarding

To enable forwarding, edit /etc/sysctl.conf:

sudo vi /etc/sysctl.conf

Uncomment (remove the leading #) in this line:

#net.ipv4.ip_forward=1

To be safe, you’re probably going to want to reboot the server at this point.

Install libpcap

We need libpcap for packet capture into pmacct:

sudo apt-get update


sudo apt-get install libpcap-dev

https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 4/7
8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes

Install pmacct

Now we install the pmacct project. Create src directory off your home directory:

cd
mkdir src

Downloaded latest version of pmacct (check in http://www.pmacct.net/#downloads


(http://www.pmacct.net/#downloads), it is currently http://www.pmacct.net/pmacct-1.7.1.tar.gz
(http://www.pmacct.net/pmacct-1.7.1.tar.gz) ) into ~/src/

cd src

wget http://www.pmacct.net/pmacct-1.7.1.tar.gz

tar xvfz pmacct-1.7.1.tar.gz

cd ~/src/pmacct-1.7.1

./configure

make

sudo make install

Configure pmacct

Create directory for pmacct config file:

mkdir ~/pmacct
cd ~/pmacct
vi pmacctd.conf

Paste this config in (updating IP etc as appropriate):

https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 5/7
8/29/24, 10:22 AM NetFlow/IPFIX Exporting with pmacct – Bits 'n Bytes

daemonize: true
#daemonize: false
interface: br0
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe
nfprobe_receiver: 192.168.1.30:9995
! Do IPFIX:
nfprobe_version: 10
nfprobe_timeouts: tcp=30:maxlife=60

Run pmacct

sudo pmacctd -f ~/pmacct/pmacctd.conf

Check if pmacct is Running

If pmacct is configured to run as a daemon, you’ll need to check if processes are running. You should
see a couple of pmacctd processes:

$ ps -ef | grep pmacct


root 2835 1 0 20:26 ? 00:00:00 pmacctd: Core Process
[default]
root 2836 2835 0 20:26 ? 00:00:00 pmacctd: Netflow Probe
Plugin [default_nfprobe]
user1 2838 2798 0 20:26 pts/5 00:00:00 grep --color=auto pmacct

Congratulations, you now have a working NetFlow/IPFIX exporter. Check out the Collecting
NetFlow (https://mattjhayes.com/2018/08/19/collecting-netflow-with-nfcapd-and-nfdump/) post for
how to build a NetFlow/IPFIX collector to receive the flow records.

[1] See: http://www.pmacct.net/ (http://www.pmacct.net/)

[2] Source: http://wiki.pmacct.net/OfficialFAQs (http://wiki.pmacct.net/OfficialFAQs)


https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/ 6/7

You might also like