Network troubleshooting: netflow collector
Netflow can be found in high end networking appliances, such as cisco,... routers. But one can also setup a netflow collector on any unix like os:
It can be used temporary to troubleshoot a network issue, an attack...
The machine to collect from
apt-get install fprobe-ulog # or any other package manager
Edit the config file, set the ip/hostname:port of the collector (usually port 9995)
Firewall rules to log the traffic:
iptables -A INPUT -j ULOG --ulog-qthreshold 50 --ulog-cprange 48 iptables -A FORWARD -j ULOG --ulog-qthreshold 50 --ulog-cprange 48 iptables -A OUTPUT -j ULOG --ulog-qthreshold 50 --ulog-cprange 48
The collector
apt-get install nfdump vi /etc/default/nfdump #... nfcapd_start=yes
Troubleshoot
list top records by bandwidth (bits per seconds) on a specific timeslot
nfdump -R /var/cache/nfdump/nfcapd.201202271818 -s record/bps -n 20 \ -o extended -t 2012/02/28.02:03:00-2012/02/28.02:08:00