On Mar 24, 2014, at 4:44 PM, Alfredo Sola wrote:
>
> Good day,
>
> I have been using now and then nfsen/nfdump for some years, but I don't
> claim to be an expert.
>
> As a platform for detecting trouble early (we could call that VEDA,
> yes? Very Early DDoS Alert :) it is as good as things can conceivably be, in
> my opinion. It is also a very convenient way to peek on network traffic. I'd
> say that it fulfills those design goals quite nicely.
>
> In my latest implementation, I am struggling with two things: Make it
> work with a directory layout as FHS as possible, and script some early
> response when trouble comes down the pipes.
>
> As for the first question, I have 'apt-get nfdump' and that works, but
> have been unable to make nfsen work. It does start nfcapd among some
> complains about Perl (which is at version 5.18.2, which I understand should
> work) and I can nfdump stuff out of the nfcapd files, but the web page says,
> "Frontend - Backend version missmatch!" and "No data available!". I have been
> searching this list in particular and the web in general, and applied the
> session patch, but nothing helped.
The problem is, software with compile time options is completely unsuitable for
that "packaging". For nfsen to work, that package must be built with nfprofile.
To prevent trouble (and because I run several different instances on the same
server and I use nginx with php-fpm instead of using Apache with a PHP module)
I always prefer to build from source. It's really straightforward, even on
FreeBSD.
> I noticed there was at one point a mentoring request on Debian to pack
> nfsen up, but it was withdrawn. Lack of interest? I'd love to be able to
> apt-get install nfsen and have things just work, and I'm willing to put down
> some resources towards that.
>
> Regarding the second question, I notice that there is currently no way
> to have nfsen start nfcapd with custom args. I want to start nfcapd with -x
> /usr/local/bin/somescript %d/%f so that I can run a custom nfdump analysis as
> soon as a five-minute period is done, but for that the only solution is to
> either edit NfSenRC.pm (and therefore when updating one needs to remember
> patching it up again), or use something like incron. So I'd like to make that
> a feature request, to provide support for a -x parameter or custom additional
> parameters in nfsen.conf.
There's an option for custom nfcapd parameters, a parameter called "optarg".
Examples from one of my nfsen.etc files:
%sources = (
'ROUTER1' => {'port' => '2061', 'col' => '#ff0000', 'type' => 'netflow',
'optarg' => '-T all' },
..
'ROUTERN' => {'port' => '2070', 'col' => '#ff99ff', 'type' => 'netflow',
'optarg' => '-T all'},
);
Borja.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
