About NeDi Flowi NetFlow sFlow and Packet Capture

The NeDi system allows you to set up GroundWork Monitor 8 as a NetFlow collector, and/or to capture packets on a network interface on the host where GroundWork runs.As these capabilities require listening to the network interface on the host (as opposed to a container) they operate differently from the standard GroundWork containers, and are therefore an extra step or two to set up.

How does it work?

We set up a copy of the NeDi container to run nfdumpd for netflow or sflow, and a separate one for packet capture with nfpcapd. Containerizing these apps allows you to deploy them without having to install and configure nfdump on your host. If you want to you can still use nfdump natively with the NeDi component in GroundWork and monitor flows and packet captures all over your data center - you have all the software you need in GroundWork to do this.

The NeDi/Flowi containers share the nfdump-var docker volume with NeDi and the NeDi Flowi cron job, allowing NeDi to display the data they collect.

Do I have to do it?

No. This is entirely optional, however you may need packet capture or NetFlow/sFlow monitoring. In combination with NeDi's policy engine and the GroundWork NeDi Cloud Hub connector, this represents a powerful addition to your monitoring toolset. Once you complete these steps, you can access the data they collect in GroundWork using the Network Discovery application, NeDi. Look in the NeDi menus under Nodes > Traffic. If you set up the NeDi Cloud Hub connector (and why not? it's easy), you can get services and hosts in GroundWork for all the policy monitoring you do on your network with NeDi.

What do I need to set up besides containers?

See the pre-requisites below. First though, you need to decide if you are going to use NetFlow, sFlow, or packet capture (or a combination). These are all different technologies for monitoring network traffic, each with its own advantages and disadvantages. If you have questions about what to use, please ask our support team for advice at GroundWork Support. You can set up as many containers as you need, one for each device that is sending you flows. In the case of packet capture, one container will be needed per interface that you want to monitor traffic on. 

So, here's how to get it going.

Setting Up a NetFlow/sFlow Collector Container

Prerequisites

  • You must have at least one device on your network that is capturing NetFlow or sFlow "flows".

  • You must be able to configure these devices to send the flows to GroundWork on a specified port, default is 2055.

    You can set this port to one of your own choosing, and you will need each instance to use a separate port if you use more than one. 

  • You may need to adjust firewall settings to ensure the port(s) you use is/are reachable.

Enabling the NetFlow Collector

  1. At the GroundWork command line in the the gw8 directory, edit the docker-compose.override.yml file.
    Un-comment the section:
     

    # Uncomment to enable NeDi nfcapd collector nfcapd_collector: image: groundworkdevelopment/nedi:${GW_TAG} command: nfcapd -p 2055 -e -w -j -l /var/nfdump/collector ports: - "2055:2055" volumes: - nfdump-var:/var/nfdump
    • Make sure to indent the nfcapd_collector: line to align with other entries in the services: section, as this is a yaml file. 

  2. Adjust the port if necessary. For example, if you want the collector to listen on 2056, change the line from: 

    - "2055:2055"

    to:

    - "2056:2055"
  3. Restart GroundWork to initialize the container:

    docker-compose down docker-compose up -d
    CODE

    If you instantiate more than one NetFlow collector container, you have to change not only the port but the container name. For example your second collector can be called nfcapd_collector2

    • To see the logs for the container, enter:

      docker-compose logs nfcapd_collector
      CODE
    • Similarly, to remove the container you can simply comment out the section in docker-compose.override.yml and restart. To temporarily stop it, enter:

      docker-compose kill nfcapd_collector
      CODE
    • It will restart with GroundWork as long as the section is uncommented in the docker-compose.override.yml file. 

Set Up a Packet Capture Container

Prerequisites

You must know the name of the host interface you want to listen on (e.g., eth0). Run ifconfig at the host command line to list interfaces.

Steps

  1. At the GroundWork command line in the the gw8 directory, edit the docker-compose.override.yml file.
    Un-comment the section:
     

    # Uncomment to enable NeDi nfpcapd capture, changing "eth0" to the desired network interface nfpcapd_capture: image: groundworkdevelopment/nedi:${GW_TAG} command: nfpcapd -i eth0 -T all -j X -l /var/nfdump/capture network_mode: host volumes: - nfdump-var:/var/nfdump

    Make sure to indent the nfcapd_collector: line to align with other entries in the services: section, as this is a yaml file. 

  2. Adjust the interface if necessary. For example, if you want the capture to happen on eth1, change the line: 

    command: nfpcapd -i eth0 -T all -j X -l /var/nfdump/capture

    to:

    command: nfpcapd -i eth1 -T all -j X -l /var/nfdump/capture
  3. Restart GroundWork to initialize the container:

    docker-compose down 
    CODE
    docker-compose up -d
    CODE

    If you instantiate more than one packet capture container, you have the change not only the interface but the container name. For example your second collector can be called nfpcapd_capture2

    • To see the logs for the container, enter:

      docker-compose logs nfpcapd_capture
      CODE
    • Similarly, to remove the container you can simply comment out the section in docker-compose.override.yml and restart.  To temporarily stop it, enter:

      docker-compose kill nfpcapd_capture
      CODE
    • It will restart with GroundWork as long as the section is uncommented in the docker-compose.override.yml file.

Related Resources