Installation Guide

 


1. Prerequisites

 

Currently, packages are available for the following Linux distributions in 32 and 64bit:Debian 6, Ubuntu 11.10 et 10.04LTS, Mageia 1, RHEL 5 et 6 (CENTOS/SL/ORACLE/...), Mandriva

The use of Firefox as browser is recommended. Chrome, Opera, Seamonkey, Safari are also supported.

The following libraries are necessary : zlib, libpq, libopenssl, libpcap, libgeoip

Installation of some utilities is recommended: whois, wget, bunzip2, gzip, dig, geoip

PostgreSQL server must be installed, if you want to use the Metrology features. It can also be used, in most case, to record the flows.

ZNeTS performances are related to postgresql hard disk access time. We notice the use of an SSD can improve performance significantly on very high-speed networks (in this case, you should mount the SSD on /var/lib/pgsql/data)

 

 

2. Installation

 

Postgresql-server installation
ZNeTS has been tested with PostgreSQL server versions 8 and 9. It is probably available as a package for your Linux distribution. This is recommended that you first install it and start it.

 

ZNeTS installation
Download the version corresponding to your linux distribution and install it using the packages tools

Check the server PostgreSQL configuration file pg_hba.conf . It must contains the line

host znets znets 127.0.0.1/32  trust
# where : the second paramter « znets » is postgresql user
# the 3rd paramter « znets » is the database name
# 127.0.0.1 is the IP address of postgresql server

If you modify this file, restart PostgreSQL server

Run « znetsInitDB » to initialize the database

 

Interface configuration: if you want to acquire data from a dedicated interface, you should configure it to be up, at boot time.

On Redhat based distribution, you should edit the file /etc/sysconfig/network-scripts/ifcfg-ethX (where ethX is the ethernet interface you want to use) and configure it as bellow:

DEVICE=ethX
ONBOOT=yes
TYPE=Ethernet
PROMISC=yes
USERCTL=no

 

 

3. Configuration

 

Refer to the information available in « man znets.conf » and user documentation.

Only 2 parameters are required by ZneTS to start: parameter "LocalNetwork" to declare your local area network(s) (named or not), and a kind of acquisition method : "useNetflow" and / or "usePcap"

  • Using HTTPS requires an SSL key and certificate
    If you have a .crt and a .key file, cat them together into a single PEM file
    cat znets.crt znets.key > /etc/znets/znets.pem
    then add the two following lines to znets.conf:
    httpdUseSSL
    httpdSSLcertFile="/etc/znets/znets.pem"
    If needed, you can set the server certificate password, by adding:
    httpdSSLcertPwd="myPassword"
  • Authentification with X509 certificate (using HTTPS) requires, in addition, a CA file for support of chained certificates. Put it in /etc/znets, and then add the two following lines to znets.conf:
    httpdAuthPeerSSL
    httpdSSLCaFile="/etc/znets/ca-chain.crt"
    Then add a line for each authorized DN to file znets.conf:
    httpdAuthorizedPeerDN="/C=FR/O=.../OU=.../CN=.../emailAddress=..."

 

znets.conf - Example 1 : Basic configuration of an ZNeTS instance acting as a Collector, which acquires data from the physical interface eth1:

localNetwork=192.168.0.0/24, "myNet1"
localNetwork=192.168.1.0/24, "myNet2"
usePcap
pcapDevice="eth1"
#... we can use aggregation option or not
#... we'll use default options for DBMS and HTTP

 

znets.conf - Example 2 : Basic configuration of an ZNeTS instance acting as a simple probe Netflow V9, which acquires data from the physical interface eth1:

localNetwork=192.168.0.0/24, "myNet1"
localNetwork=192.168.1.0/24, "myNet2"
sendNflowToHost="myCollector.myDomaine"
usePcap
pcapDevice="eth1"
# we disabled both DBMS and HTTP features
DBMS=NONE
disableHttpdServer
#... we can use aggregation option or not

 

znets.conf - Example 3: Basic configuration of an ZNeTS instance acting as a NetFlow collector (collecting from 2 NetFlow or IPFIX sources)

localNetwork=192.168.0.0/24, "myNet1"
localNetwork=192.168.1.0/24, "myNet2"
useNetFlow
netFlowUdpPort=2055
# List of our allowed netflow probes
netFlowIpDataSources=10.0.0.2/32
netFlowIpDataSources=10.0.1.2/32
#... we can use aggregation option or not
#... we'll use default options for DBMS and HTTP

 

 

4. With netflow compliant's equipments

 

If you plan to use network equipments able to send netflows , configure it in a suitable way to export Netflow to the ZNeTS collector.

With a Cisco switch supporting NetFlow, you'd have to modify your configuration, doing:

cisco(config)#ip flow-export destination  znets-collector 2055

(remplace znets-collector by the hostname or IP address of your ZNeTS collector)


cisco(config)#ip flow-export source FastEthernet 0/1
cisco(config)#ip flow-export version 5

(v9 is required only with IPv6)


cisco(config)#ip flow-cache timeout active 1
cisco(config)#ip flow-cache timeout inactive 15
cisco(config)#interface FastEthernet 0/1
cisco(config-if)#ip route-cache flow
cisco(config-if)#exit
cisco(config)#int FastEthernet 0/1
cisco(config-if)#ip route-cache flow
cisco(config-if)#exit
cisco(config)#^Z
cisco#write

 

Enabling netflow export with other brands switches should be relatively simple and intuitive using the administration interfaces.


5. Starting, stopping, restarting, reloading configuration...

Whatever the Linux distribution you used, a script in / etc / init.d can:

- start ZNeTS
/etc/init.d/znets start

- stop ZNeTS
/etc/init.d/znets stop

- restart ZNeTS
/etc/init.d/znets restart

- reload ZNeTS configuration (with no data loss)
/etc/init.d/znets reload
Works with most of the parameters. Only few parameters (like ZNeTS service ports) will not be reset on the fly