NeDi Flowi NetFlow sFlow and packet capture

NeDi/Flowi Docker commands

The NeDi system allows you to set up GroundWork Monitor 8.0.0 as a NetFlow collector, and/or to capture packets on a network interface on the host where GroundWork runs. As these capabilities require listening to the network interface on the host (as opposed to a container) they operate differently from the standard GroundWork Monitor 8.0.0 connectors, and are therefore an extra step or two to set up.

How does it work?

We set up a copy of the NeDi container to run nfdumpd for netflow or sflow, and a separate one for packet capture with nfpcapd. Containerizing these apps allows you to deploy them without having to install and configure nfdump on your host. The containers share the nfdump-var docker volume with NeDi and the NeDi Flowi cron containers, allowing NeDi to display the data they collect.

Do I have to do it?

Nope. This is entirely optional, but you may need packet capture or NetFlow/sFlow monitoring. In combination with NeDi's policy engine and the GroundWork NeDi Cloud Hub connector, this represents a powerful addition to your monitoring toolset. Once you complete these steps, you can access the data they collect in GroundWork using the Network Discovery application, NeDi. Look in the NeDi menus under Nodes → Traffic. 

What do I need to set up besides these containers?

See the pre-requisites below. First though, you need to decide if you are going to use NetFlow, sFlow, or packet capture (or a combination). These are all different technologies for monitoring network traffic, each with its own advantages and disadvantages. If you have questions about what to use, please ask our support team for advice at GroundWork Support. You can set up as many containers as you need, one for each device that is sending you flows. In the case of packet capture, one container will be needed per interface that you want to monitor traffic on. 

So, here's how to get it going...

Set up a NetFlow/sFlow collector container

Prerequisites:

  • You must have at least one device on your network that is capturing NetFlow or sFlow "flows".
  • You must be able to configure these devices to send the flows to GroundWork on a specified port, default is 2055.

    You can set this port to one of your own choosing, and you will need each instance to use a separate port if you use more than one. 

  • You may need to adjust firewall settings to ensure the port(s) you use is/are reachable.

Here's an example:

At the GroundWork command line in the the gw8 directory, type the following commands:

DEVICE=collector
GW_TAG=$(grep '^GW_TAG=' .env | sed 's/^GW_TAG=//')

The DEVICE variable is arbitrary and used as part of the container name and the data directory name. You need it to be unique per container if you are creating more than one. The GW_TAG variable is the version string for your version of GroundWork Monitor. The line above finds it for you. 


Next, type (or copy and paste) the following setup line:

docker run --rm -v dockergw8_nfdump-var:/var/nfdump "groundworkdevelopment/nedi:${GW_TAG}" bash -c "mkdir -p '/var/nfdump/${DEVICE}'; nfexpire -s 2g -u '/var/nfdump/${DEVICE}';"

This creates the volume and directory, and sets the data expiry to roll out data over 2 GB. Adjust as necessary, but be aware that flows and packet captures can consume a lot of disk space. 

Now you can start the container:

docker run -d -p 2055:2055 -v dockergw8_nfdump-var:/var/nfdump --name "nfcapd_${DEVICE}" "groundworkdevelopment/nedi:${GW_TAG}" nfcapd -p 2055 -e -w -j -l "/var/nfdump/${DEVICE}"

This starts the nfcapd process listening for flows on port 2055. If you need to use a different port, change the port numbers in the launch command. 

To see the logs for the container, type:

docker logs -f "nfcapd_${DEVICE}"

Remember that if you are coming back to this in a later session, you will need to export the value of the DEVICE variable, or just use the running container name. Use docker ps to see all running containers. 

Similarly, to stop the container:

docker stop "nfcapd_${DEVICE}"

and to remove it, if you ever need to:

docker rm "nfcapd_${DEVICE}"

Set up a packet capture container

Prerequisites:

  • You must know the name of the host interface you want to listen on (e.g., "eth0"). Run ifconfig at the host command line to list interfaces.

First, type:

DEVICE=capture
GW_TAG=$(grep '^GW_TAG=' .env | sed 's/^GW_TAG=//')

The DEVICE variable sets the name of the container (nfpcapd_capture) and the name of the directory where data is stored. This is arbitrary and needs to be unique if you have more than one packet capture container.  For example if you want GroundWork to listen on several interfaces, you might want to name the DEVICE for the interface the container listens on, like eth0, eth1, etc. 

The GW_TAG variable is simply the version tag for your version of GroundWork Monitor. The line above finds it for you.

Next type (or copy and paste) the setup command:

docker run --rm -v dockergw8_nfdump-var:/var/nfdump "groundworkdevelopment/nedi:${GW_TAG}" bash -c "mkdir -p '/var/nfdump/${DEVICE}'; nfexpire -s 2g -u '/var/nfdump/${DEVICE}';"

Now type (or copy and paste) the command to run the container:

docker run -d --net=host -v dockergw8_nfdump-var:/var/nfdump --name "nfpcapd_${DEVICE}" "groundworkdevelopment/nedi:${GW_TAG}" nfpcapd -i eth0 -T all -j X -l "/var/nfdump/${DEVICE}"

This example attempts to start the packet capture on eth0. Be sure to change eth0 in the line above to your interface name, e.g. "eth1", or "ens5", whatever you decide to listen on.  If you don't specify the right interface, the container may not start, or may start and fail to capture data. In that case you may need to stop and remove it, and try again. 

To see the logs for the container, type:

docker logs -f "nfpcapd_${DEVICE}"

Remember that if you are coming back to this in a later session, you will need to export the value of the DEVICE variable, or just use the running container name. Use docker ps to see all running containers. 

To stop the container, type:

docker stop "nfpcapd_${DEVICE}"

And finally, if you have to remove the container, type:

docker rm "nfpcapd_${DEVICE}"

There's no harm in stopping, deleting and re-creating these containers until you have them running with the right settings.

Related articles