(Instructions for Ubuntu)
- I hope that the NAT, routing, httpd, php, mysql,fprobe-ulog, flow-tools packages already installed
- Configure /etc/default/fprobe-ulog:
INTERFACE=”eth:100,ppp:200″
FLOW_COLLECTOR=”localhost:555″
OTHER_ARGS=”"Where FLOW_COLLECTOR is an your host, where running flow-capture
- Configure /etc/flow-tools/flow-capture.conf:
-R /root/flows/rota -e 2 -w /var/flows/acct -n287 -S5 -V5 -N0 127.0.0.1/127.0.0.1/555 - Add iptables rule to which all packages will be NAT-pass through ULOG
This is only EXAMPLE:
*filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :NETFLOW - [0:0] -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 25 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 110 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 4444 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 2123.123.123.123/32 -p tcp -m tcp --dport 25 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 110 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p udp -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p udp -j NETFLOW -A FORWARD -s 192.168.0.5/32 -j NETFLOW -A FORWARD -s 192.168.0.200/32 -p udp -m udp --dport 123 -j NETFLOW -A FORWARD -s 192.168.0.200/32 -p udp -m udp --dport 53 -j NETFLOW -A FORWARD -d 192.168.0.0/24 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 110 -j NETFLOW -A FORWARD -s 192.168.0.0/24 -d 123.123.123.123/32 -p tcp -m tcp --dport 25 -j NETFLOW -A NETFLOW -j ULOG -A NETFLOW -j ACCEPT COMMIT
- Create a folder /var/flows/acct/ (storage flows)
- Create a folder /root/flows/
- In the folder /root/flows/ create executable file:
Script for exporting data to MySQL database: /root/flows/rota
#!/bin/sh
/usr/bin/flow-export -f3 -mUNIX_SECS,DOCTETS,SRCADDR,DSTADDR,INPUT,OUTPUT,SRCPORT,DSTPORT,PROT -u “root:pass:localhost:3306:ulog:raw” < $1 - In the file /root/flows/rota change “root:pass:localhost:3306:ulog:raw” to the your “login:password:mysqlhostname:port:databasename:tablename” to access MySQL
(the user must have write access to the database!)!
- Login to the MySQL and create ulog database:
create database ulog
- Create a table raw to store the data:
CREATE TABLE IF NOT EXISTS `raw` (
`unix_secs` int(11) unsigned NOT NULL default ‘0′,
`dpkts` int(11) unsigned NOT NULL default ‘0′,
`doctets` int(11) unsigned NOT NULL default ‘0′,
`srcaddr` varchar(45) NOT NULL default ‘0′,
`dstaddr` varchar(45) NOT NULL default ‘0′,
`input` smallint(5) unsigned NOT NULL default ‘0′,
`output` smallint(5) unsigned NOT NULL default ‘0′,
`srcport` smallint(5) unsigned NOT NULL default ‘0′,
`dstport` smallint(5) unsigned NOT NULL default ‘0′,
`prot` tinyint(3) unsigned NOT NULL default ‘0′,
KEY `unix_secs` (`unix_secs`),
KEY `srcaddr` (`srcaddr`),
KEY `dstaddr` (`dstaddr`),
KEY `input` (`input`),
KEY `output` (`output`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1; - Add new user to the MySQL:
GRANT ALL PRIVILEGES ON ulog.* TO USER@localhost IDENTIFIED BY "PASSWORD";
You must change user and password!
- Start services:
service fprobe-ulog start
service flow-capture start
- After 15-20 minutes watch the mysql database:
select * from raw limit 5;
You should see someting like this:
unix_secs doctets srcaddr dstaddr srcport dstport
1919283189 46934 123.123.123.123 192.168.1.123 443 1120If you don's see data in the any column (like 0), than export-script working incorrectly.
- Install the web-interface alLANBilling to view statistics