Netflow (or perhaps IPFIX if you want to be vendor agnostic) is a means by which information on network traffic flows can be stored and sent on to an analysis workstation. As such there are two parts to the process of getting it all up and running – getting flows exported from the router, and getting something to read the flows for analysis.
Configuring The Flow Export
The first thing to do is to determine what interface(s) to monitor network traffic on as each interface needs to be independently configured. In most circumstances, the WAN link is the interface of interest, so we enable things on that interface :-
# conf t config# interface dialer 0 config_if# ip route-cache flow config_if# end # wr mem
The guide I followed also suggested setting the bandwidth value to enable percentage utilisation calculations. I was lazy and skipped this. It also noted that for accurate flow statistics it is necessary to enable flow collection on all participating interfaces. Once this has been enabled, it should be possible to see something of what is going on with the show ip cache flow.
It is also a good idea to export the flows somewhere :-
# conf t config# ip flow-export destination scrofula 9996 config# ip flow-export source dialer 0 config# ip flow-export version 9 config# snmp-server ifindex persist config# end # wr mem
The use of version 9 is dependant on what your analyser software can support. The snmp-server command keeps interface indexes persistent across reboots.
Analysing with NTOP
The installation of this package was accomplished with :-
# apt-get install ntop
This rather depends on the server in question running Debian of course! The details of configuring Ntop are left as an exercise!