Configure Netflow for Trisul
You can have your routers export Netflow records to Trisul. From these records Trisul can compute detailed traffic statistics. This is a desirable approach when you are more interested in traffic monitoring and less interested in packet level forensics.
From a Network Security Monitoring viewpoint, Netflow mode offers fewer datatypes.
| Data type | Packets | Netflow |
|---|---|---|
| Traffic Statistics | Available | Available |
| Flows | Available | Available |
| Alerts | Available | Not available |
| Resources | Available | Not available |
| Real time stabbers | Available | Not available |
| Packets | Available | Not available |
The advantages of Netflow are
- easier distributed deployment
- less expensive & can handle high speeds
- scales far better than packets
The rest of this document describes how you can setup Netflow.
Switch to Netflow modeTop
Configure your routers
Configure your routers/switches to send Netflow to one of the Trisul servers IP addresses.
Note the following information
- What interfaces on the Trisul server are getting Netflow records (eth0,eth1,eth2, etc) ?
- What ports are getting Netflow records ? The default is UDP 2055; if you havent changed anything in the configuration, then dont worry about the port.
Confirm if Netflow records are indeed coming in on the specified interface using tcpdump
sudo tcpdump -i eth0 -nnn "udp port 2055"
You should be seeing some data within a minute or so. If not, check on other interfaces eth1, eth2. Make sure you confirm that you get Netflow before proceeding. This will save you a lot of hair pulling in later steps.
Change to NETFLOW_TAP mode in trisulConfig.xml
Open the trisulConfig.xml file and change the TrisulMode parameter to NETFLOW_TAP
Restart trisul and webtrisul
You can use the web interface or command line.
From the Web Interface
Go to Admin → Tasks
From this page stop/start Trisul then restart Web Trisul. You have to login again after the restart.
From the command line
# on centos service trisul restart service webtrisuld restart # on ubuntu /etc/init.d/trisul restart /etc/init.d/webtrisuld restart
Thats it! Now wait for about 10 minutes for data to start showing up.
Next stepsTop
You may need to perform the following steps if required.
Change the interfaces on which Trisul listens for Netflow
By default Trisul listens on eth0 for Netflow records. If you have different or additional interfaces :
Select Customize → Capture Adapter
- eth0 would be enabled by default
- Add additional interfaces if required
- Enable all interfaces on which you expect netflow records
Change the Netflow ports
By default Trisul will attempt to decode
- UDP ports 2055,2056,2057 as Netflow
If you want to change this or use additional ports.
Select Customize → Access Points
- Click on UDP
- Press Add and enter a new port number and select
Netflowfrom the protocol list
Specify your Home Network
If your home network has all IPs from the internal address space then there is nothing to be done. Otherwise you need to tell Trisul about your address space.
Select Customize → Capture Adapter
- Click on Add a new home network
- Enter an IP and a subnetmask (eg, 59.92.0.0 and 255.255.0.0) that represents your home network
- Add additional ranges if any
For more details see Home networks
Advanced configuration
You can tweak the netflow configuration file for more advanced settings.
Typically, you dont need to do this because the defaults have been carefully selected for you.
