Hello Guest

Author Topic: Netflow collector setup  (Read 199 times)

0 Members and 1 Guest are viewing this topic.

Offline machiasiaweb

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Netflow collector setup
« on: December 13, 2016, 10:13:56 PM »
Hello,

I am reading the netflow setup from wiki
http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Netflow

Some question about netflow setup:

1) Where can I setup the collector parameters?  As least I cannot see anywhere to setup listening port

2) Where is the report section?  As it is deleted
http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Data_Presentation#Reports

3) How can I setup as a multi collector?  It is because I have multi device need to send netflow into Pandora

4) Is it support sflow?  coz it does not mentioned very details from manual.

Thanks!

Offline antonio.s

  • Administrator
  • Smart member
  • *****
  • Posts: 278
  • Karma: 2
    • View Profile
Re: Netflow collector setup
« Reply #1 on: December 14, 2016, 12:49:43 AM »
Hello machiasiaweb,

1) You can execute "man nfcapd" to see all the configuration options. To define the port you can use "-p".

2) Reporting section: http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Data_Presentation/Reports
Here is the global index of the documentation, in case you need it: http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en

3) You don't need to set it as a "multi collector" just by executing nfcapd it will listen for all the incoming netflow data, it doesn't matter where it comes from as long as it uses the same listening port.

4) sflow is not supported.

Kind regards,
Antonio.

Offline machiasiaweb

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Netflow collector setup
« Reply #2 on: December 14, 2016, 12:56:51 AM »
Hello,

For 3) You don't need to set it as a "multi collector" just by executing nfcapd it will listen for all the incoming netflow data, it doesn't matter where it comes from as long as it uses the same listening port.

>  That means it will mix up all information when using single listening port but multi reporter.
I think my question should be can nfcapd running with multi listening port?  and of course Pandora FMS can split them as well.

Thanks!

Offline antonio.s

  • Administrator
  • Smart member
  • *****
  • Posts: 278
  • Karma: 2
    • View Profile
Re: Netflow collector setup
« Reply #3 on: December 14, 2016, 07:27:44 AM »
Hello machiasiaweb,

I think that the setup you are proposing doesn't have much sense. Netflow data is already detailed enough that you can use traffic filtering by IP (source and destination) and by port (source and destination), so it is not like all the information will get mixed and unable to understand, netflow packets contain all that information no matter what the sources are, that's how it works.
That mess would only happen if you are collecting traffic from two separated subnets with the SAME IP ranges with two different netflow probes. For example, traffic from two separated offices both with 192.168.10.0/24 range. This case is quite unlikely so I don't think you need some specific setup.

Anyway, if at some point the situation comes to that scenario and answering your question, you can execute simultaneously several nfcapd listeners with different ports, but Pandora can only read from one folder (/var/spool/pandora/data_in/netflow), so it wouldn't help you that much. Only thing you could do is to have two separated Pandora FMS instances with their individual databases, not very practical.

Kind regards,
Antonio.

Offline machiasiaweb

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Netflow collector setup
« Reply #4 on: December 14, 2016, 06:22:10 PM »
Hello Antonio,

Thanks for your reply and now much more understand netflow setup under Pandora FMS.

Yes, it really mess up if multi reporter sending same contents.  But I think some general situation is one is monitoring WAN traffic.  Another one will be monitoring LAN traffic.  They will have many different contents there.

Thanks!