This KB article provides the technical steps necessary to enable a Source in Nagios Network Analyzer to receive netflow traffic on IPv6 addresses.
Nagios Network Analyzer runs instances of the nfcapd program for each source to listen for netflow traffic. This program by default listens only for traffic on interfaces with an IPv4 address. The program does have an option to enable it to listen for traffic on interfaces with an IPv6 address, however when this option is enabled it will no longer listen on IPv4 addresses.
This KB article shows you how to configure the backend scripts that run the nfcapd program to enable IPv6 support for a specific network port. This allows you to create a dedicated source(s) for IPv6 without interfering with existing sources that use IPv4.
This KB article was written for Nagios Network Analyzer 2.2.3. It is possible that version 3 onwards will have build in support for IPv6 so please check the product first before attempting these changes.
Solution
This solution requires you to create a source that will be dedicated to receiving IPv6 traffic. Create a source as you normally would, in this example port 9913 is what will be used.
Once the source has been created, the next step is to stop it. On the Sources page click the Stop link in the Actions column.
Now that the source has been stopped, open a terminal session to your Nagios Network Analyzer server as the root user. Execute the following commands to backup the capd.py file and edit in the vi text editor:
cd /usr/local/nagiosna/bin/
cp capd.py capd.py.backup
vi capd.py
When using the vi editor, to make changes press i on the keyboard first to enter insert mode. Press Esc to exit insert mode.
Now you need to jump down to the section that you will insert code into, to jump there type:
:62
and press Enter.
You should see something like this:
#~ Specify our pidfile
cmd += ['-P', pidfile]
#~ Make sure we daemonize and tell it to auto-expire flows and compress.
cmd += ['-D', '-e', '-w', '-z']
expire = ['/usr/local/bin/nfexpire', '-t', lifetime, '-u', os.path.join(directory, 'flows')]
You are going to add some lines between cmd and expire. The lines that are being added are a IF statement that will only be used if the port number for your source is matched, in this example port 9913 is what will be used. Here are the lines being added:
if port == 9913:
cmd += ['-6']
This is a Python script and the spaces at the beginning of the line are very important. The first line has four (4) spaces and the second line has eight (8) spaces. This means pressing the spacebar four or eight times.
Here is what it should look like:
#~ Specify our pidfile
cmd += ['-P', pidfile]
#~ Make sure we daemonize and tell it to auto-expire flows and compress.
cmd += ['-D', '-e', '-w', '-z']
if port == 9913:
cmd += ['-6']
expire = ['/usr/local/bin/nfexpire', '-t', lifetime, '-u', os.path.join(directory, 'flows')]
When you have finished, save the changes in vi by typing:
:wq
and press Enter.
Now execute this command to validate that the changes you made are correct:
python -m py_compile capd.py
If it is correct then there will be no output. An example of an error is as follows:
Sorry: IndentationError: ('unindent does not match any outer indentation level', ('capd.py', 63, 20, ' if port == 9913:\n'))
If you receive such an error then you will need to resolve it before proceeding.
Now you can return to the Nagios Network Analyzer web interface and start the source. After starting the source you can confirm that it is now listening on IPv6 for this specific port by executing the following command:
ps aux | grep nfcapd
You should see something like this:
nna 24942 0.0 0.1 17860 2624 ? S 10:05 0:00 /usr/local/bin/nfcapd -I 2 -l /usr/local/nagiosna/var/pfSenseIPv6/flows -p 9913
-x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/pfSenseIPv6/9913.pid -D -e -w -z -6
nna 24944 0.0 0.0 6576 456 ? S 10:05 0:00 /usr/local/bin/nfcapd -I 2 -l /usr/local/nagiosna/var/pfSenseIPv6/flows -p 9913
-x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/pfSenseIPv6/9913.pid -D -e -w -z -6
nna 28637 0.0 0.1 17860 2744 ? S May11 0:00 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/nProbe/flows -p 2055
-x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/nProbe/2055.pid -D -e -w -z
nna 28639 0.0 0.0 6576 796 ? S May11 0:02 /usr/local/bin/nfcapd -I 1 -l /usr/local/nagiosna/var/nProbe/flows -p 2055
-x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/nProbe/2055.pid -D -e -w -z
The output is quite long and each line is wrapping over two lines. The first two lines show the -6 flag for the source listening on port 9913, this means it's listening on IPv6. It's normal for two lines to appear for one source. You can see the bottom two lines do not have the -6 flag meaning they are still IPv4.
If you require multiple IPv6 sources it's simply a matter of adding multiple IF statements to the capd.py file.
Upgrading Nagios Network Analyzer will discard these changes, keep this in mind in the future when performing an upgrade.
Confirm It's Working
It can take up to 15 minutes for the Nagios Network Analyzer GUI to display information about the flows it has received. There are some checks you can perform at the command line to see if it's working.
You can look at the nfcapd files that are generated every five minutes and see if they are larger than the default size of 276 bytes.
This command will display the contents of the flows directory for the source pfSenseIPv6:
ls -la /usr/local/nagiosna/var/pfSenseIPv6/flows/
You should see something like this:
total 48
drwxrwsr-x+ 2 nna nnacmd 4096 May 17 10:10 .
drwxrwsr-x+ 3 nna nnacmd 4096 May 17 10:05 ..
-rw-r--r--+ 1 nna nnacmd 276 May 17 09:43 nfcapd.201705170940
-rw-r--r--+ 1 nna nnacmd 276 May 17 10:10 nfcapd.201705171005
-rw-r--r--+ 1 nna nnacmd 276 May 17 10:10 nfcapd.current.24940
-rw-r--r--+ 1 nna nnacmd 102 May 17 10:10 .nfstat
Currently the files are 276 bytes in size. This means that either the network traffic is not being sent to your IPv6 address or perhaps a firewall is blocking the traffic.
To confirm the data is being received you can use the tcpdump program. This will confirm that the traffic is reaching your Nagios Network Analyzer server (local firewall rules are not affected by the tcpdump program).
Install tcpdump with this command:
RHEL | CentOS
yum install -y tcpdump
Debian | Ubuntu
apt-get install -y tcpdump
Watch the network traffic with this command:
tcpdump -nnvvS -i ens32 udp dst port 9913
You will need to change -i to the network interface to listen on and the port number relevant to your situation. You should see traffic come in that looks something like:
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 65535 bytes
10:24:01.337866 IP6 (flowlabel 0x94e01, hlim 64, next-header UDP (17) payload length: 400)
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx.15839 > yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy.9913: [udp sum ok] UDP, length 392
You might need to wait a minute or two as flow data might not be received that frequently. If you are receiving flow data and the nfcap files are still the default size after waiting five minutes then it's likely the local firewall is blocking the traffic. The following commands will create the firewall rules depending on the operating system version you are running:
RHEL 7 +| CentOS 7 +
firewall-cmd --zone=public --add-port=9913/udp
firewall-cmd --zone=public --add-port=9913/udp --permanent
Debian
iptables -I INPUT -p udp --destination-port 9913 -j ACCEPT
Ubuntu
ufw allow proto udp from any to any port 9913
ufw reload
After applying these firewall rules you will need to wait approximately five minutes to see if the nfcap files are larger than the default size, for example:
-rw-r--r--+ 1 nna nnacmd 276 May 17 11:00 nfcapd.201705171055
-rw-r--r--+ 1 nna nnacmd 3084 May 17 11:05 nfcapd.201705171100
-rw-r--r--+ 1 nna nnacmd 276 May 17 11:05 nfcapd.current.1865
-rw-r--r--+ 1 nna nnacmd 103 May 17 11:05 .nfstat
You can see the most recent nfcap file has a size of 3048 bytes, this means that netflow traffic is successfully being received by Nagios Network Analyzer. Once this happens you should see data in the Top 5 Talkers table when viewing the source however it may take up to 15 minutes for the graphs to show data.
Final Thoughts
For any support related questions please visit the Nagios Support Forums at:
http://support.nagios.com/forum/
Article ID: 587
Created On: Tue, May 16, 2017 at 7:36 PM
Last Updated On: Thu, Mar 11, 2021 at 12:52 PM
Authored by: tlea
Online URL: https://support.nagios.com/kb/article/nagios-network-analyzer-receiving-netflow-traffic-on-ipv6-587.html