Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace: flowviewer_centos7
flowviewer_centos7

Table of Contents

, ,

FlowViewer on CentOS 7

This page describes the installation of FlowViewer on CentOS 7 for NetFlow reporting.

Quote FlowViewer wiki: “FlowViewer has been developed for NASA’s Earth Sciences Data and Information System (ESDIS) networks, and credit goes to NASA for their usual outstanding support of innovation.”

Prerequisites

  • Install development tools:
    yum groupinstall development tools
yum install glib2-devel
  • Install libraries and source code:
    yum install zlib zlib-devel lzo lzo-devel libpcap libpcap-devel gnutls gnutls-devel python-devel c-ares c-ares-devel openssl-devel
  • Install webserver and dependencies:
    yum install httpd gd perl-GD perl-GDGraph perl-GDTextUtil rrdtool
systemctl enable httpd
systemctl start httpd
  • Download, compile and install libxbuf from http://tools.netsa.cert.org/fixbuf/:
    tar zxvf libfixbuf-1.6.2.tar.gz
./configure && make && make install
  • Download, compile and install netsa from http://tools.netsa.cert.org/netsa-python/index.html:
    tar zxvf netsa-python-1.4.3.tar.gz
python setup.py build
python setup.py install
  • Download, compile and install libipa from http://tools.netsa.cert.org/ipa/download.html:
    tar zxvf ipa-0.5.2.tar.gz
./configure && make && make install
  • Add /usr/local/lib to library path. 
    echo /usr/local/lib >>/etc/ld.so.conf.d/local.conf
ldconfig -v

Install SiLK

  • Download SiLK from: http://tools.netsa.cert.org/
  • Extract tar.gz file:
    tar zxvf silk-3.10.1.tar.gz
  • Configure and compile:
    mkdir -p /opt/silk/data
./configure \
          --enable-data-rootdir=/opt/silk/data \
          --prefix=/opt/silk \
          --enable-output-compression \
          --with-libipa=/usr/local/lib/pkgconfig \
          --with-libfixbuf=/usr/local/lib/pkgconfig

make
make install

************************************************************
Example site configuration files have been installed in
    /opt/silk/share/silk/*-silk.conf
Choose the file that matches your packing logic plug-in
and/or installation, rename it to silk.conf, customize it,
and copy it to the root of the data directory:
    /opt/silk/data/silk.conf
************************************************************

Configure SiLK

  • Create /opt/data/silk.conf:
    cp /opt/silk/share/silk/twoway-silk.conf /opt/silk/data/silk.conf
  • Edit silk.conf for example:
    sensor 0 uplink    "Uplink"

class all
    sensors uplink
end class
  • Specify local address space:
    cd /opt/silk/share/silk
cp addrtype-templ.txt addresses.txt
vi addresses.txt
  # My IP space (CMU)
  128.2.0.0/16        internal

/opt/silk/bin/rwpmapbuild --input addresses.txt --output address_types.pmap
  • Install Country Code mapping (legacy format). Download CSV from http://dev.maxmind.com/geoip/legacy/geolite/:
    unzip -p GeoIPCountryCSV.zip | \
          /opt/silk/bin/rwgeoip2ccmap --csv-input > country_codes.pmap

cp country_codes.pmap /opt/silk/share/silk/country_codes.pmap
  • Create /opt/silk/data/sensor.conf:
    probe uplink netflow-v9
     listen-on-port 9901
     protocol udp
     accept-from-host 1.2.3.1
end probe
sensor uplink
     netflow-v9-probes uplink
     internal-ipblock 1.2.3.0/24
     external-ipblock remainder
end sensor
  • Create /opt/silk/etc/rwflowpack.conf:
    ENABLED=yes
BIN_DIR=/opt/silk/sbin
DATA_ROOTDIR=/opt/silk/data
PID_DIR=/var/run
SENSOR_CONFIG=/opt/silk/data/sensor.conf
SITE_CONFIG=/opt/silk/data/silk.conf
INPUT_MODE=stream
OUTPUT_MODE=local-storage
LOG_TYPE=legacy
LOG_DIR=/opt/silk/log
LOG_LEVEL=info
CREATE_DIRECTORIES=yes
  • Enable (legacy) service:
    cp /root/silk-3.10.1/src/rwflowpack/rwflowpack.init.d /etc/init.d/rwflowpack
chkconfig rwflowpack on
service rwflowpack start

Configure NetFlow v9 for RouterOS

  • Put source in trusted zone, add udp port:
    firewall-cmd --permanent --zone=trusted --add-source=1.2.3.1
firewall-cmd --permanent --zone=trusted --add-port=9901/udp
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all
  • On RouterOS add flow config:
    /ip traffic-flow target add version=9 address=1.2.3.4:9901
/ip traffic-flow set enabled=yes interfaces=bridge1-uplink
/ip firewall filter chain=output action=accept protocol=udp dst-address=1.2.3.6 dst-port=9901

Test query

  • Test SiLK with a query:
    /opt/silk/bin/rwfilter --sensor=uplink --proto=0-255 --pass=stdout --type=all | /opt/silk/bin/rwcut | tail

Install FlowViewer

  • Download FlowViewer: http://sourceforge.net/projects/flowviewer/files
  • Open port to webserver:
    firewall-cmd --permanent --zone=trusted --add-service=http
firewall-cmd --reload
firewall-cmd --zone=trusted --list-all
  • Untar into /var/www/cgi-bin subdirectory:
    cd /var/www/cgi-bin
tar xvf /root/FlowViewer_4.6.tar
  • Configure FlowViewer_Configuration.pm variables as necessary.
  • Allow write access for FlowViewer:
    semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowGrapher(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowMonitor(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Dashboard(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/FlowViewer_Saves(/.*)?"

restorecon -Rv /var/www/html
  • Create all necessary directories with proper permissions.
  • Copy FlowViewer.css, FlowViewer.png to $reports_directory.
  • Start FlowMonitor_Collector, FlowMonitor_Grapher in background.
  • Point browser to FV.cgi
flowviewer_centos7.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1