Nfsen: Traffic Classification (2024)

by Stefan Durand

Nfsen is open source sensor: it accepts netflow data from multiple netflow probes (servers, routers, vpn concentrators etc) and then visualizes it into human readable form. So using Nfsen you can see traffic statistics of every network device in your network in one place (actually Nfsen provides much more features).

By default Nfsen makes it possible to see only inbound and outbound traffic statistics but no protocol breakdown or anytraffic classification. In the meantime it’s always useful to know what network applications are eating the bandwidth to understand if that fits baseline or not and take necessary actions. For example, if you’re monitoring Linux server which primary task is to host some website but in Nfsen you see that it generates 90% of SSH traffic and only 10% of web traffic then it would be reasonable idea to check if somebody is trying to brute force SSH password and stop that activity. In other words it’s better to have traffic statistics classified. In this article I’ll tell you how to enable traffic classification in Nfsen.



If you’re not familiar with Nfdump and Nfsen just follow this article and/or read Nfsen documentation. As soon as Nfsen is workable and shows some traffic statistics it’s time to create new profile for traffic classification.

1. Go to Nfsen main page http://{your_nfsen_server}/nfsen/nfsen.php and choose Profile –> New Profile.

2. Choose the name for new profile, select its type as Shadow, set expiration and choose necessary source(s) of Netflow data.

3. As the next step you would have to create the two channels for every traffic pattern: www-in for inbound HTTP traffic, www-out for outbound HTTP traffic, pop3-in for inbound POP3 traffic and so on. Every channel should include corresponding filter to pick out traffic of particular kinds from general traffic, for example for inbound HTTP traffic it will be something like ‘((src port 80 and proto tcp) and (src port 443 and proto tcp))’ and so on.

Below is the script that makes it possible to save time and not to type in those channels and their filters by hands.

4. Create new folder for the script and its components:

mkdir -p /path/to/script/breakdown/cd /path/to/script/breakdown/

5. Create file protocols.list that will include traffic classifications by port numbers and protocols. Syntax is pretty simple:

/ [/] [...]|

Port ranges should be specified as <port_start>-<port_end>. Here is my protocols.list file:

80/tcp 80/udp 443/tcp 443/udp|http20-21/tcp 20-21/udp 989-990/tcp 989-990/udp|ftp5190-5193/tcp 1863/tcp 531/tcp 531/udp 5050/tcp 5190/tcp 5222/tcp 5223/tcp 5269/tcp 5298/tcp 5298/udp 6660-6664/tcp 6665-6669/tcp 6679/tcp 6697/tcp 1247/udp 2940-3000/tcp|im5060-5061/tcp 5060-5061/udp|sip22/tcp 22/udp 911/tcp|ssh23/tcp 23/udp 107/tcp 992/tcp 992/udp|telnet110/tcp 995/tcp|pop3143/tcp 993/tcp|imap25/tcp 465/tcp|smtp53/udp 53/tcp 953/tcp 953/udp 5353/udp|dns161-162/tcp 161-162/udp|snmp1494/tcp 2512/tcp 2513/tcp 1604/udp 8082/tcp 27000/tcp 2598/tcp 9001-9002/tcp 9005/tcp 2897/tcp|citrix1194/tcp 1194/udp 5000/tcp 5000/udp 12972/tcp 32976/tcp|vpn1645-1646/tcp 1645-1646/udp 1812-1823/tcp 1812-1813/udp 2083/tcp|radius

6. Create file colors.list (it will include colors for each traffic type), here is mine:

#FF0000#FCFF00#00FF2A#FFA800#613702#133D7C#00EAFF#9600FF#FF00C6#B0F10F#746FAE#993366#B8860B#CCFFFF#660066#FF6666#0066CC#CCCCFF#000066#0000FF#A7A3A3#C4B782

7. Create main script add.nfsen.channels.sh (don’t forget to change path to nfsen binary in the beginning of this shell script):

#!/bin/bashnfsen="/opt/nfsen/bin/nfsen"remote=$1ips=$2group=$3if [[ $1 == "" || $2 == "" || $3 == "" ]];thenexitfi$nfsen -a $group/$remote shadow=1dstfilter=""for dstip in $2;doif ((${#dstfilter}>0));thendstfilter=$dstfilter" or dst net "$dstipelsedstfilter="(dst net "$dstipfidonedstfilter=$dstfilter")"srcfilter=""for srcip in $2;do if ((${#srcfilter}>0));then srcfilter=$srcfilter" or src net "$srcip else srcfilter="(src net "$dstip fidonesrcfilter=$srcfilter")"colorcounter=0cat ./protocols.list | while read line;doechoechoecho $linelet colorcounter++currentcolor=$(head -n $colorcounter colors.list | tail -1)dstportfilter=""srcportfilter=""otherdstportfilter=""othersrcportfilter=""serviceport=$(echo $line | awk -F '|' '{print$1}')servicename=$(echo $line | awk -F '|' '{print$2}')for line1 in $serviceport;doif [[ -n $(echo $line1 | grep '-') ]];then#rangeport1=$(echo $line1 | awk -F '/' '{print$1}' | awk -F '-' '{print$1}')port2=$(echo $line1 | awk -F '/' '{print$1}' | awk -F '-' '{print$2}') proto=$(echo $line1 | awk -F '/' '{print$2}')let "port1n=port1-1" let "port2n=port2+1"if ((${#srcportfilter}>0));then srcportfilter=$srcportfilter" or (src port > $port1n and src port $port1n and src port 0));then dstportfilter=$dstportfilter" or (dst port > $port1n and dst port $port1n and dst port 0));then othersrcportfilter=$othersrcportfilter" and not (src port > $port1n and src port $port1n and src port 0));then otherdstportfilter=$otherdstportfilter" and not (dst port > $port1n and dst port $port1n and dst port 0));thensrcportfilter=$srcportfilter" or (src port $port and proto $proto)"elsesrcportfilter="(src port $port and proto $proto)"fiif ((${#dstportfilter}>0));then dstportfilter=$dstportfilter" or (dst port $port and proto $proto)" else dstportfilter="(dst port $port and proto $proto)" fi#for otherif ((${#othersrcportfilter}>0));then othersrcportfilter=$othersrcportfilter" and not (src port $port and proto $proto)" else othersrcportfilter="not (src port $port and proto $proto)" fi if ((${#otherdstportfilter}>0));then otherdstportfilter=$otherdstportfilter" and not (dst port $port and proto $proto)" else otherdstportfilter="not (dst port $port and proto $proto)" fifidone$nfsen --add-channel $group/$remote/$servicename-in sourcelist="BComEdgeDE1-1" filter="$dstfilter and ($srcportfilter)" colour="$currentcolor" sign=+ order=$colorcounter$nfsen --add-channel $group/$remote/$servicename-out sourcelist="BComEdgeDE1-1" filter="$srcfilter and ($dstportfilter)" colour="$currentcolor" sign=- order=$colorcounterotherdstportfilterall=$otherdstportfilterall" and ("$otherdstportfilter")"othersrcportfilterall=$othersrcportfilterall" and ("$othersrcportfilter")"echo $otherdstportfilterall > /tmp/otherdstportfilterallecho $othersrcportfilterall > /tmp/othersrcportfilterallecho $colorcounter > /tmp/colorcounterdoneif [[ -s /tmp/otherdstportfilterall && -s /tmp/othersrcportfilterall && -s /tmp/colorcounter ]];thenotherdstportfilterall=$(cat /tmp/otherdstportfilterall)othersrcportfilterall=$(cat /tmp/othersrcportfilterall)colorcounter=$(cat /tmp/colorcounter)let colorcounter++$nfsen --add-channel $group/$remote/other-in sourcelist="BComEdgeDE1-1" filter="$dstfilter $othersrcportfilterall" colour="#000000" sign=+ order=$colorcounter$nfsen --add-channel $group/$remote/other-out sourcelist="BComEdgeDE1-1" filter="$srcfilter $otherdstportfilterall" colour="#000000" sign=- order=$colorcounterfirm -f /tmp/otherdstportfilterallrm -f /tmp/othersrcportfilterallrm -f /tmp/colorcounter$nfsen --commit-profile $group/$remote

7. Lauch the script using the following command:

./add.nfsen.channels.sh Host1 "1.2.3.4/29 5.6.7.8/29" Breakdown

Where Host1 is the name for new profile, ‘1.2.3.4/29 5.6.7.8/29’ is IP addresses of the networks you wish to include into the graph and Breakdown is the name of the group for Profile. If do not plan to filter traffic in this profile by IPs of the networks just put ‘0.0.0.0/0’ instead of ‘1.2.3.4/29 5.6.7.8/29’.

8. Once the script is finished you’ll see new item in profile menu Breakdown –> Host1.

Related Articles

  • Network Traffic Generator: hping
  • How to monitor traffic at Cisco router using Linux (Netflow)
  • Install nfdump and nfsen netflow tools in Linux
Nfsen: Traffic Classification (2024)
Top Articles
Latest Posts
Article information

Author: Roderick King

Last Updated:

Views: 5625

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.