Netflow

[deliverer]

Is it possible to add Netflow to the Merlin builds? Has anyone else requested support?

 

[jernau]

Just install softflowd via optware that's what I use to gather stats for NTOP

 

[deliverer]

Just install softflowd via optware that's what I use to gather stats for NTOP

Any good links on how to install this?

 

[jernau]

This may not be the best method as I'm not aware of an entware package for softflowd but this is the way I did it on my RT-N66U

Install Entware using the instructions on Merlin's WIKI;
https://github.com/RMerl/asuswrt-merlin/wiki/Entware

Download the attached file, unzip and copy softflowd_0.9.8-3_entware.ipk to your router

issue the command opkg install ./softflowd_0.9.8-3_entware.ipk

edit the file /opt/etc/init.d/S29softflowd and edit the following line to include the IP address and port of your netflow collector;

ARGS="-i br0 -n your_flow_collector_iport -m 16000"

e.g.

ARGS="-i br0 -n 192.168.9.68:2055 -m 16000"

 

[ckong]

I managed to get Netflow working on Entware using the package "ipcad". I'm not an expert, but here are simple install instructions I managed to google/piece together:

1. Install ipcad and libpcap (install command installed both for me)
opkg update
opkg install ipcad

2. Edit ipcad config (assuming server is at 192.168.1.200; commented lines left for completeness sake)
vim /tmp/mnt/sda1/asusware/etc/ipcad.conf
# interface ed0;
# interface ed1 promisc filter "ip and not dst net 192.168.0.0/16";
# interface sbni0 input-only netflow-disable; # Disable NetFlow.
# interface ppp*; # Dynamically pick up PPP interfaces.
# interface ulog group 3, group 15; # Use ULOG, do not disable NetFlow.
# interface ipq; # Use Linux IPQ (libipq(3))
# interface tee port 123; # Use BSD ipfw(8)'s tee.
# interface divert port 321 netflow-disable; # Use ipfw(8)'s divert(4).
interface eth0 promisc;
netflow export destination 192.168.1.200 2055;
# dumpfile = ipcad.dump;
# chroot = /adm/tmp;
# rsh enable at 127.0.0.1;
rsh disable

3. Test run (all on one line)
/tmp/mnt/sda1/asusware/bin/ipcad -c /tmp/mnt/sda1/asusware/etc/ipcad.conf -d

To manually stop, just "killall ipcad" as a ctrl-c doesn't seem to work.

Once working, you can add command(s) to startup script /jffs/scripts/services-start.

To test to see if the netflow is working, you can try using flow-capture/flow-cat or just install ntop or ntopng/nprobe.

 

[Booger Marine]

This may not be the best method as I'm not aware of an entware package for softflowd but this is the way I did it on my RT-N66U

Install Entware using the instructions on Merlin's WIKI;
https://github.com/RMerl/asuswrt-merlin/wiki/Entware

Download the attached file, unzip and copy softflowd_0.9.8-3_entware.ipk to your router

issue the command opkg install ./softflowd_0.9.8-3_entware.ipk

edit the file /opt/etc/init.d/S29softflowd and edit the following line to include the IP address and port of your netflow collector;

ARGS="-i br0 -n your_flow_collector_iport -m 16000"

e.g.

ARGS="-i br0 -n 192.168.9.68:2055 -m 16000"

So I tried all this on my RT-N66U and I get the following whenever I try to start softflowd:


admin@RT-N66U:/tmp/mnt/usbdrive/entware/etc/init.d# /opt/etc/init.d/S29softflow stop
mkdir: can't create directory '/var/empty': File exists
Checking softflowd... dead.
admin@RT-N66U:/tmp/mnt/usbdrive/entware/etc/init.d# /opt/etc/init.d/S29softflow start
mkdir: can't create directory '/var/empty': File exists
Starting softflowd... failed.
admin@RT-N66U:/tmp/mnt/usbdrive/entware/etc/init.d#

It seems it can't start for some reason. I have no idea why not. Any suggestions?

EDIT: I found a solution to solve this error.

So I manually ran "softflowd" and I noticed it was complaining:

admin@RT-N66U:/tmp/home/root# softflowd
softflowd: can't load library 'libpcap.so.1'

I know that libpcap was installed, so I looked on the usb drive in the entware/lib folder and saw the following files:

lrwxrwxrwx 1 admin root 14 Mar 11 00:39 libpcap.so -> libpcap.so.1.3
lrwxrwxrwx 1 admin root 16 Mar 11 00:39 libpcap.so.1.3 -> libpcap.so.1.3.0
-rw-r--r-- 1 admin root 229760 Feb 24 05:05 libpcap.so.1.3.0

I noticed there was no "libpcap.so.1" in the list, plus the first two files are just symbolic links to libpcap.so.1.3.0, so I made my own link:

ln -s libpcap.so.1.3.0 libpcap.so.1

Then I tried to start the service again, and, SUCCESS!

admin@RT-N66U:/tmp/mnt/usbdrive/entware/lib# /opt/etc/init.d/S29softflow start
mkdir: can't create directory '/var/empty': File exists
Starting softflowd... done.

Now to figure out why my collector isn't receiving any data....

 

[Alives]

Did you ever find out why your collector wasn't receiving data? I'm having the same issue. I can connect to ntop from the router via netcat successfully, but it seems softflowd isn't connecting for some reason.

 

[busch09]

I got ipcad to work. I am exporting eth0,1,2 and vlan2 but I only see one interface in the destination called Interface 65535.
Any idea how to achieve separate reporting for all 4 interfaces?

 

[baseer]

I got ipcad to work. I am exporting eth0,1,2 and vlan2 but I only see one interface in the destination called Interface 65535.
Any idea how to achieve separate reporting for all 4 interfaces?

how did you get ipcad to work?

what steps/guide did you use?

 

[busch09]

@baeser basically what ckong mentioned above. I am running scrutinizer & prtg netflow v5 sensors.
of course you have to use the netflow sensor, not the sflow one.

 

[Keith Lovatt]

I don't know if it will help anybody, but I found an answer to the question of separating interfaces with ipcad.

If you enable capture-ports, the interfaces start working. Not exactly how I like, but it is functional.

Setting in ipcad.conf:

capture-ports enable;

Reference:
https://sourceforge.net/p/ipcad/support-requests/8/